Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-5730

header parsing issue in C++ implementation of THttpServer

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • C++ - Library
    • None

    Description

      The THRIFT_strncasecmp(header, <header name constant>, sz) == 0 condition used in THttpServer::parseHeader() function returns true even if the name of the header being processed is a prefix of the header constant that is defined in the condition.
      For example, when processing the http header line "con: 123", we enter the code fragment where the Content-length header content is processed, because the condition THRIFT_strncasecmp("con: 123", "Content-length", 3) == 0 is true, since the first 3 characters of the two strings are the same.
      The same is true for strncmp(header, "X-Forwarded-For", sz) == 0 condition, where the header line "X: 127.0.0.1" may hide the Origin if the client sends that after the X-Forwarded-For header (and the proxy does not change the header order).

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. IMPALA-12341 hs2 http authentication may fail due to header parsing issues if any prefix of the word "authorization" is present as a header in the http request

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              gfarkas Gergely Farkas
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: