couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject couchdb commit: updated refs/heads/master to dda4a5f
Date Thu, 10 Sep 2015 13:00:57 GMT
Repository: couchdb
Updated Branches:
  refs/heads/master a84fcb2d9 -> dda4a5f22


Remove new CSRF mechanism


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/dda4a5f2
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/dda4a5f2
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/dda4a5f2

Branch: refs/heads/master
Commit: dda4a5f220fa5d3c705b784c9bb1f1dbe776d724
Parents: a84fcb2
Author: Robert Newson <rnewson@apache.org>
Authored: Thu Sep 10 12:26:29 2015 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Thu Sep 10 14:00:46 2015 +0100

----------------------------------------------------------------------
 dev/run                       |  7 +---
 test/javascript/tests/csrf.js | 84 --------------------------------------
 2 files changed, 2 insertions(+), 89 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/dda4a5f2/dev/run
----------------------------------------------------------------------
diff --git a/dev/run b/dev/run
index e519fa6..06c96be 100755
--- a/dev/run
+++ b/dev/run
@@ -30,7 +30,6 @@ import uuid
 from pbkdf2 import pbkdf2_hex
 
 COMMON_SALT = uuid.uuid4().hex
-COMMON_CSRF_SECRET = uuid.uuid4().hex
 
 try:
     from urllib import urlopen
@@ -259,11 +258,9 @@ def hack_local_ini(ctx, contents):
     previous_line = "; require_valid_user = false\n"
     contents = contents.replace(previous_line, previous_line + secret_line)
 
-    csrf_secret = '\n\n[csrf]\nsecret = %s\n' % COMMON_CSRF_SECRET
-
     if ctx['with_admin_party']:
         ctx['admin'] = ('Admin Party!', 'You do not need any password.')
-        return contents + csrf_secret
+        return contents
 
     # handle admin credentials passed from cli or generate own one
     if ctx['admin'] is None:
@@ -271,7 +268,7 @@ def hack_local_ini(ctx, contents):
     else:
         user, pswd = ctx['admin']
 
-    return contents + "\n%s = %s" % (user, hashify(pswd)) + csrf_secret
+    return contents + "\n%s = %s" % (user, hashify(pswd))
 
 
 def gen_password():

http://git-wip-us.apache.org/repos/asf/couchdb/blob/dda4a5f2/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
deleted file mode 100644
index e16e78b..0000000
--- a/test/javascript/tests/csrf.js
+++ /dev/null
@@ -1,84 +0,0 @@
-// Licensed under the Apache License, Version 2.0 (the "License"); you may not
-// use this file except in compliance with the License. You may obtain a copy of
-// the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-// License for the specific language governing permissions and limitations under
-// the License.
-
-couchTests.csrf = function(debug) {
-  var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
-  db.deleteDb();
-  db.createDb();
-
-  if (debug) debugger;
-
-  // Handy function to cause CouchDB to delete the CSRF cookie
-  var deleteCsrf = function() {
-    var xhr = CouchDB.request("POST", "/_session", {
-                              body: 'name=foo&password=bar',
-                              headers: {'X-CouchDB-CSRF': 'foo',
-                                        'Content-Type': 'application/x-www-form-urlencoded',
-                                        'Cookie': 'CouchDB-CSRF=foo'}});
-    TEquals(403, xhr.status);
-  };
-
-  var testFun = function () {
-  // Shouldn't receive header if we didn't ask for it
-  var xhr = CouchDB.request("GET", "/");
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF");
-  TEquals(200, xhr.status);
-
-  // Matching but invalid cookie/header should 403
-  xhr = CouchDB.request("POST", "/_session", {
-                        body: 'name=foo&password=bar',
-                        headers: {'X-CouchDB-CSRF': 'foo',
-                                  'Content-Type': 'application/x-www-form-urlencoded',
-                                  'Cookie': 'CouchDB-CSRF=foo'}});
-  TEquals(403, xhr.status);
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and
header");
-
-  // Can I acquire a CouchDB-CSRF cookie?
-  xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'true'}});
-  var cookie = xhr.getResponseHeader("Set-Cookie").match('^CouchDB-CSRF=([^;]+)');
-  T(cookie, "Should receive cookie");
-
-  // If I have a cookie, do I get a 403 if I don't send the header?
-  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
-                                              headers: {'Content-Type':
-                                                        'application/x-www-form-urlencoded'}});
-  TEquals(403, xhr.status);
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
-
-  // If I have a cookie, do I get a 200 if I send a matching header?
-  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
-                                              headers: {"X-CouchDB-CSRF": cookie[1],
-                                                        'Content-Type': 'application/x-www-form-urlencoded'}});
-  TEquals(200, xhr.status);
-  TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent
this");
-
-  // How about the wrong header?
-  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
-                                              headers: {'X-CouchDB-CSRF': 'foo',
-                                                        'Content-Type': 'application/x-www-form-urlencoded'}});
-  TEquals(403, xhr.status);
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
-
-  deleteCsrf();
-  };
-
-  run_on_modified_server(
-    [
-     {section: "couch_httpd_auth",
-      key: "iterations", value: "1"},
-     {section: "admins",
-       key: "foo", value: "bar"}
-    ],
-    testFun
-  );
-
-};


Mime
View raw message