couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From klaus_trai...@apache.org
Subject [1/4] couchdb commit: updated refs/heads/couchdb-peruser to 3d722bb
Date Tue, 18 Aug 2015 15:42:11 GMT
Repository: couchdb
Updated Branches:
  refs/heads/couchdb-peruser 837c27f80 -> 3d722bb63 (forced update)


Use POST requests to verify CSRF


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/68e83c23
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/68e83c23
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/68e83c23

Branch: refs/heads/couchdb-peruser
Commit: 68e83c23b0ac24f7f3245894a3765a5649718880
Parents: b3c5367
Author: Robert Newson <rnewson@apache.org>
Authored: Mon Aug 10 20:11:47 2015 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Mon Aug 10 20:11:47 2015 +0100

----------------------------------------------------------------------
 test/javascript/tests/csrf.js | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/68e83c23/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
index 9baef82..9799d6f 100644
--- a/test/javascript/tests/csrf.js
+++ b/test/javascript/tests/csrf.js
@@ -11,12 +11,17 @@
 // the License.
 
 couchTests.csrf = function(debug) {
+  var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
+  db.deleteDb();
+  db.createDb();
+
   if (debug) debugger;
 
   // Handy function to cause CouchDB to delete the CSRF cookie
   var deleteCsrf = function() {
-    var xhr = CouchDB.request("GET", "/",
-                              {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+    var xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
+                              body: '{"keys": []}',
+                              headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
     TEquals(403, xhr.status);
   };
 
@@ -26,7 +31,9 @@ couchTests.csrf = function(debug) {
   TEquals(200, xhr.status);
 
   // Matching but invalid cookie/header should 403
-  xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
+                        body: '{"keys": []}',
+                        headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
   TEquals(403, xhr.status);
   TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and
header");
 
@@ -36,17 +43,19 @@ couchTests.csrf = function(debug) {
   T(cookie, "Should receive cookie");
 
   // If I have a cookie, do I get a 403 if I don't send the header?
-  xhr = CouchDB.request("GET", "/");
+  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}'});
   TEquals(403, xhr.status);
   TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
 
   // If I have a cookie, do I get a 200 if I send a matching header?
-  xhr = CouchDB.request("GET", "/", {headers: {"X-CouchDB-CSRF": cookie[1]}});
+  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
+                                                             headers: {"X-CouchDB-CSRF":
cookie[1]}});
   TEquals(200, xhr.status);
   TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent
this");
 
   // How about the wrong header?
-  xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo'}});
+  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
+                                                             headers: {'X-CouchDB-CSRF':
'foo'}});
   TEquals(403, xhr.status);
   TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
 


Mime
View raw message