[Impala-ASF-CR] IMPALA-12341: Fix http header parsing issue in thrift http server

Tue, 08 Aug 2023 09:08:12 -0700 

Hello Jason Fehr, Csaba Ringhofer, Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/20301

to look at the new patch set (#11).

Change subject: IMPALA-12341: Fix http header parsing issue in thrift http 
server
......................................................................

IMPALA-12341: Fix http header parsing issue in thrift http server

This change fixes the following http header parsing bug in
THttpServer: The THRIFT_strncasecmp() function used in the
THttpServer::parseHeader() function returns true even if the name
of the header being processed is a prefix of the header constant
that is defined in the condition.
For example: In the original implementation when processing the
http header "auth: anyValue", we run into the code fragment where
the Authorization header content is processed, because the condition
THRIFT_strncasecmp("auth: anyValue", "Authorization", 4) == 0)
is true, since the first 4 characters of the two strings are the same.
This can break authentication if the http request has a header
with a name that is a prefix to the word "Authorization".
If the length of the checked header is included in the condition,
this problem is avoided, so this fix refactors the if conditions,
so that this check is present everywhere.

Tested with new custom cluster tests.

Change-Id: I754639cfe3eab0016d09f71ded4821caa357bf87
---
M be/src/transport/THttpServer.cpp
M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java
2 files changed, 51 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/01/20301/11
--
To view, visit http://gerrit.cloudera.org:8080/20301
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I754639cfe3eab0016d09f71ded4821caa357bf87
Gerrit-Change-Number: 20301
Gerrit-PatchSet: 11
Gerrit-Owner: Gergely Farkas <gfar...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com>
Gerrit-Reviewer: Gergely Farkas <gfar...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Jason Fehr <jf...@cloudera.com>

Reply via email to