couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject couch commit: updated refs/heads/master to 9d90ee9
Date Fri, 22 Aug 2014 10:03:13 GMT
Repository: couchdb-couch
Updated Branches:
  refs/heads/master c68dc6511 -> 9d90ee9c3


Don't upgrade admin hashes into the _users database

Admin users are stored in .ini files and are not full-fledged user
documents. Internally, a fake document is made to allow insertion into
the auth cache. CouchDB 1.6 introduced a feature to upgrade password
hashes from the legacy simple hash scheme to the stronger PBKDF2
scheme. It inappropriately attempted to do this to the fake admin
docs, which do not pass the _design/_auth validation checks. This is
fortunate, however, as CouchDB would then have written the admin users
into the users database causing widespread confusion and fear.


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/9d90ee9c
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/9d90ee9c
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/9d90ee9c

Branch: refs/heads/master
Commit: 9d90ee9c3c215725210a44cc0c4fc2e113022e3c
Parents: c68dc65
Author: Robert Newson <rnewson@apache.org>
Authored: Thu Aug 21 16:34:59 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Fri Aug 22 11:02:50 2014 +0100

----------------------------------------------------------------------
 src/couch_httpd_auth.erl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/9d90ee9c/src/couch_httpd_auth.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_auth.erl b/src/couch_httpd_auth.erl
index 6c1d037..2f9250d 100644
--- a/src/couch_httpd_auth.erl
+++ b/src/couch_httpd_auth.erl
@@ -356,8 +356,9 @@ maybe_value(Key, Else, Fun) ->
     [{Key, Fun(Else)}].
 
 maybe_upgrade_password_hash(UserName, Password, UserProps, AuthModule) ->
-    case couch_util:get_value(<<"password_scheme">>, UserProps, <<"simple">>)
of
-    <<"simple">> ->
+    IsAdmin = lists:member(<<"_admin">>, couch_util:get_value(<<"roles">>,
UserProps, [])),
+    case {IsAdmin, couch_util:get_value(<<"password_scheme">>, UserProps, <<"simple">>)}
of
+    {false, <<"simple">>} ->
         DbName = ?l2b(config:get("couch_httpd_auth", "authentication_db", "_users")),
         couch_util:with_db(DbName, fun(UserDb) ->
             UserProps2 = proplists:delete(<<"password_sha">>, UserProps),


Mime
View raw message