[
https://issues.apache.org/jira/browse/IMPALA-12341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gergely Farkas resolved IMPALA-12341.
-------------------------------------
Resolution: Fixed
> hs2 http authentication may fail due to header parsing issues if any prefix
> of the word "authorization" is present as a header in the http request
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-12341
> URL: https://issues.apache.org/jira/browse/IMPALA-12341
> Project: IMPALA
> Issue Type: Bug
> Reporter: Gergely Farkas
> Assignee: Gergely Farkas
> Priority: Major
>
> Unfortunately, the THttpServer::parseHeader() function has a header parsing
> bug that could lead to an authentication problem:
> The THRIFT_strncasecmp() function used in the implementation returns true
> even if the name of the header being processed is a prefix of the header
> constant that is defined in the condition. For example: When processing the
> http header "auth: anyValue", we run into the code fragment where the
> Authorization header content is processed, because the condition
> THRIFT_strncasecmp("auth: anyValue", "Authorization", 4) == 0) is true, since
> the first 4 characters of the two strings are the same. This may break
> authentication if the http request has a header with a name that is a prefix
> to the word "Authorization" and that header is sent by the client after the
> "Authorization" header.
> The affected code fragment was originally added to the impala code from the
> Apache Thrift code. A bug ticket created to fix the issue in Thrift:
> https://issues.apache.org/jira/browse/THRIFT-5730
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
