[jira] [Commented] (CASSANDRA-13455) derangement in decoding client token

Tue, 18 Apr 2017 06:42:57 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-13455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972679#comment-15972679
 ] 

Amos Jianjun Kong commented on CASSANDRA-13455:
-----------------------------------------------

[~snazy] , thanks for your quick reply.

If we set password to '', then client will response  '....\000cassandra\000'.
The good thing is that Cassandra has some checking of the request keys, it will 
raise error early (the problem code couldn't be reached). 

cassandra.cluster.NoHostAvailable: ('Unable to connect to any servers', 
{'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error 
from server: code=0000 [Server error] message="java.lang.RuntimeException: 
com.google.common.util.concurrent.UncheckedExecutionException: 
org.apache.cassandra.exceptions.InvalidRequestException: Key may not be 
empty"',)})

```
from cassandra.cluster import Cluster
from cassandra.auth import PlainTextAuthProvider

auth = PlainTextAuthProvider(username='cassandra', password='')
cluster = Cluster(['127.0.0.1'], auth_provider=auth)

session = cluster.connect(keyspace='system_auth')
session.execute("select * from role_members;")
session.shutdown()
```
---------
The decoding code is wrong, if decodeCredentials() process a bytes 
''....\000cassandra\000'', it will wrongly parse cassandra as the password, and 
parse a wrong username.

Sorry I'm not familiar with Cassandra unittest, I don't know if the problem 
code is covered by unittest.


> derangement in decoding client token
> ------------------------------------
>
>                 Key: CASSANDRA-13455
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13455
>             Project: Cassandra
>          Issue Type: Bug
>         Environment: CentOS7.2
> Java 1.8
>            Reporter: Amos Jianjun Kong
>            Assignee: Amos Jianjun Kong
>             Fix For: 3.10
>
>         Attachments: 0001-auth-strictly-delimit-in-decoding-client-token.patch
>
>
> RFC4616 requests AuthZID, USERNAME, PASSWORD are delimited by single '\000'.
> Current code actually delimits by serial '\000', when username or password
> is null, it caused decoding derangement.
> The problem was found in code review.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to