You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/01/11 09:50:14 UTC

[GitHub] [pulsar] nodece opened a new pull request #9172: Disallow parsing of token with none signature in authenticateToken

nodece opened a new pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172


   Signed-off-by: Zixuan Liu <no...@gmail.com>
   
   ### Motivation
   
   If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
   
   ### Modifications
   
   - Disallow parsing of token with none signature in authenticateToken 
   
   ### Verifying this change
   
   - [ ] Make sure that the change passes the CI checks.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] tuteng commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

tuteng commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-773071370


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] hangc0276 commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-759210659


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-759900649


   @hangc0276 `CI - Integration - Sql / sql` still failed.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-766691548


   /pulsarbot run-failure-checks
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] 315157973 commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

315157973 commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-758355864


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

codelipenghui commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-764173581


   @nodece Please rebase the master branch


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] 315157973 removed a comment on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

315157973 removed a comment on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-758353068


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-766691548


   /pulsarbot run-failure-checks
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-763402710


   /pulsarbot run-failure-checks
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] tuteng commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

tuteng commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-763402609


   /pulsarbot run-failure-checks
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

sijie commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-758403710


   @315157973 Great catch!
   
   @nodece Can you add a flag to turn this validation on/off?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] tuteng commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

tuteng commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-763630060


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-772373652


   /pulsarbot run-failure-checks
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-775016005


   All tests has been passed.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] 315157973 commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

315157973 commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-758353068


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie merged pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

sijie merged pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] tuteng commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

tuteng commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-762936539


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-762645591


   @sijie `CI - Integration - Sql / sql (pull_request)` always failed. could you reset that?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] hangc0276 commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-758666021


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

sijie commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-775760933


   @nodece Awesome contribution! 
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-766343089


   /pulsarbot run-failure-checks
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] tuteng commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

tuteng commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-773071370


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece removed a comment on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece removed a comment on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-763402710


   /pulsarbot run-failure-checks
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

sijie commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-758277123


   /pulsarbot run-failure-checks


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

codelipenghui commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-764173581


   @nodece Please rebase the master branch


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #9172: Disallow parsing of token with none signature in authenticateToken

Posted by GitBox <gi...@apache.org>.

nodece commented on pull request #9172:
URL: https://github.com/apache/pulsar/pull/9172#issuecomment-763521556


   /pulsarbot run-failure-checks
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org