David Mollitor created HIVE-23704:
-------------------------------------
Summary: Thrift HTTP Server Does Not Handle Auth Handle Correctly
Key: HIVE-23704
URL: https://issues.apache.org/jira/browse/HIVE-23704
Project: Hive
Issue Type: Bug
Components: Security
Affects Versions: 2.3.7, 3.1.2
Reporter: David Mollitor
Assignee: David Mollitor
Fix For: 4.0.0
Attachments: Base64NegotiationError.png
{code:java|title=ThriftHttpServlet.java}
private String[] getAuthHeaderTokens(HttpServletRequest request,
String authType) throws HttpAuthenticationException {
String authHeaderBase64 = getAuthHeader(request, authType);
String authHeaderString = StringUtils.newStringUtf8(
Base64.decodeBase64(authHeaderBase64.getBytes()));
String[] creds = authHeaderString.split(":");
return creds;
}
{code}
So here, it takes the authHeaderBase64 (which is a base-64 string), and
converts it into bytes, and then it tries to decode those bytes. That is
incorrect It should covert base-64 string directly into bytes.
I tried to do this as part of [HIVE-22676] and the tests was failing because
the string that is being decoded is not actually Base-64 (see attached image).
Again, the existing code doesn't care because it's not parsing Base-64 text, it
is parsing the bytes generated by converting base-64 text to bytes.
I'm not sure what affect this has, what security issues this may present, but
it's definitely not correct.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
