nodece opened a new pull request #9172: URL: https://github.com/apache/pulsar/pull/9172
Signed-off-by: Zixuan Liu <[email protected]> ### Motivation If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins). ### Modifications - Disallow parsing of token with none signature in authenticateToken ### Verifying this change - [ ] Make sure that the change passes the CI checks. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
