cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amos Jianjun Kong (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-13455) lose check of null strings in decoding client token
Date Thu, 20 Apr 2017 00:08:04 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-13455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15975768#comment-15975768
] 

Amos Jianjun Kong commented on CASSANDRA-13455:
-----------------------------------------------

I agree with that empty passwords should be allowed for both PasswordAuthenticator and AllowAllAuthenticator.
Checking the empty username in decodeCredentials() will found the problem early, however PasswordAuthenticator
can do it by itself.

So we can treat this issue as NOTABUG and ignore the patches. Thanks for your responses :-)

> lose check of null strings in decoding client token
> ---------------------------------------------------
>
>                 Key: CASSANDRA-13455
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13455
>             Project: Cassandra
>          Issue Type: Bug
>         Environment: CentOS7.2
> Java 1.8
>            Reporter: Amos Jianjun Kong
>            Assignee: Amos Jianjun Kong
>             Fix For: 3.10
>
>         Attachments: 0001-auth-check-both-null-points-and-null-strings.patch, 0001-auth-strictly-delimit-in-decoding-client-token.patch
>
>
> RFC4616 requests AuthZID, USERNAME, PASSWORD are delimited by single '\000'.
> Current code actually delimits by serial '\000', when username or password
> is null, it caused decoding derangement.
> The problem was found in code review.
> ------------
> update: above description is wrong, the problem is that :
> When client responses null strings for username or password,
> current decodeCredentials() can't identify it.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message