[
https://issues.apache.org/jira/browse/HIVE-23704?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Mollitor reassigned HIVE-23704:
-------------------------------------
> Thrift HTTP Server Does Not Handle Auth Handle Correctly
> --------------------------------------------------------
>
> Key: HIVE-23704
> URL: https://issues.apache.org/jira/browse/HIVE-23704
> Project: Hive
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.3.7, 3.1.2
> Reporter: David Mollitor
> Assignee: David Mollitor
> Priority: Critical
> Fix For: 4.0.0
>
> Attachments: Base64NegotiationError.png
>
>
> {code:java|title=ThriftHttpServlet.java}
> private String[] getAuthHeaderTokens(HttpServletRequest request,
> String authType) throws HttpAuthenticationException {
> String authHeaderBase64 = getAuthHeader(request, authType);
> String authHeaderString = StringUtils.newStringUtf8(
> Base64.decodeBase64(authHeaderBase64.getBytes()));
> String[] creds = authHeaderString.split(":");
> return creds;
> }
> {code}
> So here, it takes the authHeaderBase64 (which is a base-64 string), and
> converts it into bytes, and then it tries to decode those bytes. That is
> incorrect It should covert base-64 string directly into bytes.
> I tried to do this as part of [HIVE-22676] and the tests was failing because
> the string that is being decoded is not actually Base-64 (see attached
> image). Again, the existing code doesn't care because it's not parsing
> Base-64 text, it is parsing the bytes generated by converting base-64 text to
> bytes.
> I'm not sure what affect this has, what security issues this may present, but
> it's definitely not correct.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
