couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject couch commit: updated refs/heads/master to 8fc187d
Date Sat, 08 Aug 2015 16:36:42 GMT
Repository: couchdb-couch
Updated Branches:
  refs/heads/master 2f14e59ee -> 8fc187d79


Add option to make CSRF cookie mandatory

When enabled, the CSRF cookie/header is required on all requests
except those to the welcome message at /.

COUCHDB-2762


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/8fc187d7
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/8fc187d7
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/8fc187d7

Branch: refs/heads/master
Commit: 8fc187d79c1573ffa6b61d756f6ad8601243d3ae
Parents: 2f14e59
Author: Robert Newson <rnewson@apache.org>
Authored: Sat Aug 8 14:03:23 2015 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Sat Aug 8 14:03:23 2015 +0100

----------------------------------------------------------------------
 src/couch_httpd_csrf.erl | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/8fc187d7/src/couch_httpd_csrf.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_csrf.erl b/src/couch_httpd_csrf.erl
index ab82635..ec7116d 100644
--- a/src/couch_httpd_csrf.erl
+++ b/src/couch_httpd_csrf.erl
@@ -37,11 +37,11 @@ validate(#httpd{} = Req) ->
     Header = couch_httpd:header_value(Req, "X-CouchDB-CSRF"),
     case {Cookie, Header} of
         {undefined, undefined} ->
-            ok;
+            throw_if_mandatory(Req);
         {undefined, "true"} ->
-            ok;
+            throw_if_mandatory(Req);
         {"deleted", "true"} ->
-            ok;
+            throw_if_mandatory(Req);
         {undefined, _} ->
             throw({forbidden, <<"CSRF header sent without Cookie">>});
         {Csrf, Csrf} ->
@@ -63,6 +63,16 @@ validate(Csrf) when is_list(Csrf) ->
             end
     end.
 
+throw_if_mandatory(#httpd{path_parts = []}) ->
+    ok; %% Welcome message is public / entrypoint
+throw_if_mandatory(_) ->
+    case csrf_mandatory() of
+        true ->
+            throw({forbidden, <<"CSRF Cookie/Header is mandatory">>});
+        false ->
+            ok
+    end.
+
 
 headers(#httpd{} = Req, Headers) ->
     Header = couch_httpd:header_value(Req, "X-CouchDB-CSRF"),
@@ -177,3 +187,6 @@ max_age() ->
 
 timestamp() ->
     couch_httpd_auth:make_cookie_time().
+
+csrf_mandatory() ->
+    config:get_boolean("csrf", "mandatory", false).


Mime
View raw message