[
https://issues.apache.org/jira/browse/CASSANDRA-13455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972743#comment-15972743
]
Robert Stupp commented on CASSANDRA-13455:
------------------------------------------
bq. if decodeCredentials() process a bytes ''....\000cassandra\000'', it will
wrongly parse cassandra as the password
I doubt this is true. Can you copy the decoding part into a standalone java app
and verify?
> derangement in decoding client token
> ------------------------------------
>
> Key: CASSANDRA-13455
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13455
> Project: Cassandra
> Issue Type: Bug
> Environment: CentOS7.2
> Java 1.8
> Reporter: Amos Jianjun Kong
> Assignee: Amos Jianjun Kong
> Fix For: 3.10
>
> Attachments: 0001-auth-strictly-delimit-in-decoding-client-token.patch
>
>
> RFC4616 requests AuthZID, USERNAME, PASSWORD are delimited by single '\000'.
> Current code actually delimits by serial '\000', when username or password
> is null, it caused decoding derangement.
> The problem was found in code review.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
