cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amos Jianjun Kong (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-13455) lose check of null strings in decoding client token
Date Wed, 19 Apr 2017 01:44:41 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-13455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Amos Jianjun Kong updated CASSANDRA-13455:
------------------------------------------
    Description: 
RFC4616 requests AuthZID, USERNAME, PASSWORD are delimited by single '\000'.
Current code actually delimits by serial '\000', when username or password
is null, it caused decoding derangement.

The problem was found in code review.

------------
update: above description is wrong, the problem is that :
When client responses null strings for username or password,
current decodeCredentials() can't identify it.


  was:
RFC4616 requests AuthZID, USERNAME, PASSWORD are delimited by single '\000'.
Current code actually delimits by serial '\000', when username or password
is null, it caused decoding derangement.

The problem was found in code review.


> lose check of null strings in decoding client token
> ---------------------------------------------------
>
>                 Key: CASSANDRA-13455
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13455
>             Project: Cassandra
>          Issue Type: Bug
>         Environment: CentOS7.2
> Java 1.8
>            Reporter: Amos Jianjun Kong
>            Assignee: Amos Jianjun Kong
>             Fix For: 3.10
>
>         Attachments: 0001-auth-check-both-null-points-and-null-strings.patch, 0001-auth-strictly-delimit-in-decoding-client-token.patch
>
>
> RFC4616 requests AuthZID, USERNAME, PASSWORD are delimited by single '\000'.
> Current code actually delimits by serial '\000', when username or password
> is null, it caused decoding derangement.
> The problem was found in code review.
> ------------
> update: above description is wrong, the problem is that :
> When client responses null strings for username or password,
> current decodeCredentials() can't identify it.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message