[
https://issues.apache.org/jira/browse/THRIFT-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17315188#comment-17315188
]
Steven commented on THRIFT-5388:
--------------------------------
Hi Jens,
Thanks for your support. Besides the flag "FILE_FLAG_OVERLAPPED", also want to
add more flags like *SECURITY_SQOS_PRESENT* | *SECURITY_IDENTIFICATION* to
avoid server impersonating the client, unless the server is executing under the
same security context as the client.
> Named Pipes transport hardening
> -------------------------------
>
> Key: THRIFT-5388
> URL: https://issues.apache.org/jira/browse/THRIFT-5388
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Reporter: Steven
> Priority: Major
>
> In current codes "lib\cpp\src\thrift\transport\TPipe.cpp", the flags to
> connect the named pipe is always FILE_FLAG_OVERLAPPED. It is not possible to
> set more security flags to avoid the named pipe server misuse the named pipe
> client's identify by
> [impersonatenamedpipeclient|https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient].
> Could we provide the API to set these flags? Thanks.
> Codes in "TPipe::open()" are listed below:
> DWORD flags = FILE_FLAG_OVERLAPPED;
> hPipe.reset(CreateFileA(pipename_.c_str(), GENERIC_READ | GENERIC_WRITE, 0,
> nullptr, OPEN_EXISTING, flags, nullptr));
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
