David Mollitor created HIVE-23704: ------------------------------------- Summary: Thrift HTTP Server Does Not Handle Auth Handle Correctly Key: HIVE-23704 URL: https://issues.apache.org/jira/browse/HIVE-23704 Project: Hive Issue Type: Bug Components: Security Affects Versions: 2.3.7, 3.1.2 Reporter: David Mollitor Assignee: David Mollitor Fix For: 4.0.0 Attachments: Base64NegotiationError.png
{code:java|title=ThriftHttpServlet.java} private String[] getAuthHeaderTokens(HttpServletRequest request, String authType) throws HttpAuthenticationException { String authHeaderBase64 = getAuthHeader(request, authType); String authHeaderString = StringUtils.newStringUtf8( Base64.decodeBase64(authHeaderBase64.getBytes())); String[] creds = authHeaderString.split(":"); return creds; } {code} So here, it takes the authHeaderBase64 (which is a base-64 string), and converts it into bytes, and then it tries to decode those bytes. That is incorrect It should covert base-64 string directly into bytes. I tried to do this as part of [HIVE-22676] and the tests was failing because the string that is being decoded is not actually Base-64 (see attached image). Again, the existing code doesn't care because it's not parsing Base-64 text, it is parsing the bytes generated by converting base-64 text to bytes. I'm not sure what affect this has, what security issues this may present, but it's definitely not correct. -- This message was sent by Atlassian Jira (v8.3.4#803005)