couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject couchdb commit: updated refs/heads/2299-dont-upgrade-admin-hashes-stupidly to 5e46f3b
Date Thu, 21 Aug 2014 15:40:44 GMT
Repository: couchdb
Updated Branches:
  refs/heads/2299-dont-upgrade-admin-hashes-stupidly [created] 5e46f3b98


Don't upgrade admin hashes into the _users database

Admin users are stored in .ini files and are not full-fledged user
documents. Internally, a fake document is made to allow insertion into
the auth cache. CouchDB 1.6 introduced a feature to upgrade password
hashes from the legacy simple hash scheme to the stronger PBKDF2
scheme. It inappropriately attempted to do this to the fake admin
docs, which do not pass the _design/_auth validation checks. This is
fortunate, however, as CouchDB would then have written the admin users
into the users database causing widespread confusion and fear.


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/5e46f3b9
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/5e46f3b9
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/5e46f3b9

Branch: refs/heads/2299-dont-upgrade-admin-hashes-stupidly
Commit: 5e46f3b988797e16bde36518d5b808eadd83ecfa
Parents: 6acdb22
Author: Robert Newson <rnewson@apache.org>
Authored: Thu Aug 21 16:34:59 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Thu Aug 21 16:34:59 2014 +0100

----------------------------------------------------------------------
 src/couchdb/couch_httpd_auth.erl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e46f3b9/src/couchdb/couch_httpd_auth.erl
----------------------------------------------------------------------
diff --git a/src/couchdb/couch_httpd_auth.erl b/src/couchdb/couch_httpd_auth.erl
index 6888f06..3052832 100644
--- a/src/couchdb/couch_httpd_auth.erl
+++ b/src/couchdb/couch_httpd_auth.erl
@@ -345,8 +345,9 @@ maybe_value(Key, Else, Fun) ->
     [{Key, Fun(Else)}].
 
 maybe_upgrade_password_hash(UserName, Password, UserProps) ->
-    case couch_util:get_value(<<"password_scheme">>, UserProps, <<"simple">>)
of
-    <<"simple">> ->
+    IsAdmin = lists:member(<<"_admin">>, couch_util:get_value(<<"roles">>,
UserProps, [])),
+    case {IsAdmin, couch_util:get_value(<<"password_scheme">>, UserProps, <<"simple">>)}
of
+    {false, <<"simple">>} ->
         DbName = ?l2b(couch_config:get("couch_httpd_auth", "authentication_db", "_users")),
         couch_util:with_db(DbName, fun(UserDb) ->
             UserProps2 = proplists:delete(<<"password_sha">>, UserProps),


Mime
View raw message