[ https://issues.apache.org/jira/browse/IMPALA-12341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gergely Farkas resolved IMPALA-12341. ------------------------------------- Resolution: Fixed > hs2 http authentication may fail due to header parsing issues if any prefix > of the word "authorization" is present as a header in the http request > -------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: IMPALA-12341 > URL: https://issues.apache.org/jira/browse/IMPALA-12341 > Project: IMPALA > Issue Type: Bug > Reporter: Gergely Farkas > Assignee: Gergely Farkas > Priority: Major > > Unfortunately, the THttpServer::parseHeader() function has a header parsing > bug that could lead to an authentication problem: > The THRIFT_strncasecmp() function used in the implementation returns true > even if the name of the header being processed is a prefix of the header > constant that is defined in the condition. For example: When processing the > http header "auth: anyValue", we run into the code fragment where the > Authorization header content is processed, because the condition > THRIFT_strncasecmp("auth: anyValue", "Authorization", 4) == 0) is true, since > the first 4 characters of the two strings are the same. This may break > authentication if the http request has a header with a name that is a prefix > to the word "Authorization" and that header is sent by the client after the > "Authorization" header. > The affected code fragment was originally added to the impala code from the > Apache Thrift code. A bug ticket created to fix the issue in Thrift: > https://issues.apache.org/jira/browse/THRIFT-5730 -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org