navinko commented on code in PR #9603:
URL: https://github.com/apache/ozone/pull/9603#discussion_r2673126575
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java:
##########
@@ -49,6 +49,7 @@ protected void doGet(HttpServletRequest req,
HttpServletResponse resp)
String authorizationHeader = req.getHeader("Authorization");
if (authorizationHeader == null
|| !authorizationHeader.startsWith(BEARER)
+ || authorizationHeader.length() <= BEARER.length()
|| !securityToken.equals(
authorizationHeader.substring(BEARER.length() + 1))) {
Review Comment:
I think trimming the substring further will make the authorization checks
less strict incase some malformed/token with space is being passed . In current
implementation CM side it do not accepts any token with leading/trailing
spaces. So if one passes token with space it should fail ideally.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
