You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "David Mollitor (Jira)" <ji...@apache.org> on 2020/06/16 16:23:00 UTC
[jira] [Updated] (HIVE-23704) Thrift HTTP Server Does Not Handle
Auth Handle Correctly
[ https://issues.apache.org/jira/browse/HIVE-23704?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Mollitor updated HIVE-23704:
----------------------------------
Description:
{code:java|title=ThriftHttpServlet.java}
private String[] getAuthHeaderTokens(HttpServletRequest request,
String authType) throws HttpAuthenticationException {
String authHeaderBase64 = getAuthHeader(request, authType);
String authHeaderString = StringUtils.newStringUtf8(
Base64.decodeBase64(authHeaderBase64.getBytes()));
String[] creds = authHeaderString.split(":");
return creds;
}
{code}
So here, it takes the authHeaderBase64 (which is a base-64 string), and converts it into bytes, and then it tries to decode those bytes. That is incorrect It should covert base-64 string directly into bytes.
I tried to do this as part of [HIVE-22676] and the tests was failing because the string that is being decoded is not actually Base-64 (see attached image) It has a stray space and a colon. Again, the existing code doesn't care because it's not parsing Base-64 text, it is parsing the bytes generated by converting base-64 text to bytes.
I'm not sure what affect this has, what security issues this may present, but it's definitely not correct.
was:
{code:java|title=ThriftHttpServlet.java}
private String[] getAuthHeaderTokens(HttpServletRequest request,
String authType) throws HttpAuthenticationException {
String authHeaderBase64 = getAuthHeader(request, authType);
String authHeaderString = StringUtils.newStringUtf8(
Base64.decodeBase64(authHeaderBase64.getBytes()));
String[] creds = authHeaderString.split(":");
return creds;
}
{code}
So here, it takes the authHeaderBase64 (which is a base-64 string), and converts it into bytes, and then it tries to decode those bytes. That is incorrect It should covert base-64 string directly into bytes.
I tried to do this as part of [HIVE-22676] and the tests was failing because the string that is being decoded is not actually Base-64 (see attached image). Again, the existing code doesn't care because it's not parsing Base-64 text, it is parsing the bytes generated by converting base-64 text to bytes.
I'm not sure what affect this has, what security issues this may present, but it's definitely not correct.
> Thrift HTTP Server Does Not Handle Auth Handle Correctly
> --------------------------------------------------------
>
> Key: HIVE-23704
> URL: https://issues.apache.org/jira/browse/HIVE-23704
> Project: Hive
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.1.2, 2.3.7
> Reporter: David Mollitor
> Assignee: David Mollitor
> Priority: Critical
> Fix For: 4.0.0
>
> Attachments: Base64NegotiationError.png
>
>
> {code:java|title=ThriftHttpServlet.java}
> private String[] getAuthHeaderTokens(HttpServletRequest request,
> String authType) throws HttpAuthenticationException {
> String authHeaderBase64 = getAuthHeader(request, authType);
> String authHeaderString = StringUtils.newStringUtf8(
> Base64.decodeBase64(authHeaderBase64.getBytes()));
> String[] creds = authHeaderString.split(":");
> return creds;
> }
> {code}
> So here, it takes the authHeaderBase64 (which is a base-64 string), and converts it into bytes, and then it tries to decode those bytes. That is incorrect It should covert base-64 string directly into bytes.
> I tried to do this as part of [HIVE-22676] and the tests was failing because the string that is being decoded is not actually Base-64 (see attached image) It has a stray space and a colon. Again, the existing code doesn't care because it's not parsing Base-64 text, it is parsing the bytes generated by converting base-64 text to bytes.
> I'm not sure what affect this has, what security issues this may present, but it's definitely not correct.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)