[
https://issues.apache.org/jira/browse/CASSANDRA-13455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15973866#comment-15973866
]
Amos Jianjun Kong edited comment on CASSANDRA-13455 at 4/19/17 1:40 AM:
------------------------------------------------------------------------
[~snazy] You are right, current code can split the client response bytes
rightly with single '\000'.
The only problem is that it only checked null points, but lost checking of none
strings.
{code}
- if (pass == null)
+ if (pass == null || pass.length == 0)
throw new AuthenticationException("Password must not be null");
- if (user == null)
+ if (user == null || user.length == 0)
throw new AuthenticationException("Authentication ID must not
be null");
{code}
was (Author: amoskong):
[~snazy] You are right, current code can split the client response bytes
rightly with single '\000'.
The only problem is that it only checked null points, but lost checking of none
strings.
```
- if (pass == null)
+ if (pass == null || pass.length == 0)
throw new AuthenticationException("Password must not be null");
- if (user == null)
+ if (user == null || user.length == 0)
throw new AuthenticationException("Authentication ID must not
be null");
```
> derangement in decoding client token
> ------------------------------------
>
> Key: CASSANDRA-13455
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13455
> Project: Cassandra
> Issue Type: Bug
> Environment: CentOS7.2
> Java 1.8
> Reporter: Amos Jianjun Kong
> Assignee: Amos Jianjun Kong
> Fix For: 3.10
>
> Attachments: 0001-auth-strictly-delimit-in-decoding-client-token.patch
>
>
> RFC4616 requests AuthZID, USERNAME, PASSWORD are delimited by single '\000'.
> Current code actually delimits by serial '\000', when username or password
> is null, it caused decoding derangement.
> The problem was found in code review.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
