couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kxe...@apache.org
Subject couch-mrview commit: updated refs/heads/master to 2ec52eb
Date Sun, 18 Oct 2015 00:19:02 GMT
Repository: couchdb-couch-mrview
Updated Branches:
  refs/heads/master f089832ea -> 2ec52eb3d


Check POST requests for valid json header

validate that all POST requests with json body must have also have valid
json header: {"Content-Type": "application/json"}
This ensures a basic protection against CSRF

This closes #25

JIRA: COUCHDB-2775

Signed-off-by: Alexander Shorin <kxepal@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch-mrview/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch-mrview/commit/2ec52eb3
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch-mrview/tree/2ec52eb3
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch-mrview/diff/2ec52eb3

Branch: refs/heads/master
Commit: 2ec52eb3d8e187f5e9dfcaf8ab0dff55e40cd647
Parents: f089832
Author: Mayya Sharipova <mayyas@ca.ibm.com>
Authored: Wed Sep 2 16:14:51 2015 -0400
Committer: Alexander Shorin <kxepal@apache.org>
Committed: Sun Oct 18 03:17:18 2015 +0300

----------------------------------------------------------------------
 src/couch_mrview_http.erl | 11 ++++++++---
 src/couch_mrview_show.erl |  1 +
 2 files changed, 9 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch-mrview/blob/2ec52eb3/src/couch_mrview_http.erl
----------------------------------------------------------------------
diff --git a/src/couch_mrview_http.erl b/src/couch_mrview_http.erl
index 65e3197..b56d518 100644
--- a/src/couch_mrview_http.erl
+++ b/src/couch_mrview_http.erl
@@ -45,6 +45,7 @@
 handle_all_docs_req(#httpd{method='GET'}=Req, Db) ->
     all_docs_req(Req, Db, undefined);
 handle_all_docs_req(#httpd{method='POST'}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     Keys = couch_mrview_util:get_view_keys(chttpd:json_body_obj(Req)),
     all_docs_req(Req, Db, Keys);
 handle_all_docs_req(Req, _Db) ->
@@ -53,6 +54,7 @@ handle_all_docs_req(Req, _Db) ->
 handle_local_docs_req(#httpd{method='GET'}=Req, Db) ->
     all_docs_req(Req, Db, undefined, <<"_local">>);
 handle_local_docs_req(#httpd{method='POST'}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     Keys = couch_mrview_util:get_view_keys(chttpd:json_body_obj(Req)),
     all_docs_req(Req, Db, Keys, <<"_local">>);
 handle_local_docs_req(Req, _Db) ->
@@ -61,6 +63,7 @@ handle_local_docs_req(Req, _Db) ->
 handle_design_docs_req(#httpd{method='GET'}=Req, Db) ->
     all_docs_req(Req, Db, undefined, <<"_design">>);
 handle_design_docs_req(#httpd{method='POST'}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     Keys = couch_mrview_util:get_view_keys(chttpd:json_body_obj(Req)),
     all_docs_req(Req, Db, Keys, <<"_design">>);
 handle_design_docs_req(Req, _Db) ->
@@ -69,6 +72,7 @@ handle_design_docs_req(Req, _Db) ->
 handle_reindex_req(#httpd{method='POST',
                           path_parts=[_, _, DName,<<"_reindex">>]}=Req,
                    Db, _DDoc) ->
+    chttpd:validate_ctype(Req, "application/json"),
     ok = couch_db:check_is_admin(Db),
     couch_mrview:trigger_update(Db, <<"_design/", DName/binary>>),
     chttpd:send_json(Req, 201, {[{<<"ok">>, true}]});
@@ -111,6 +115,7 @@ handle_view_req(#httpd{method='GET'}=Req, Db, DDoc) ->
     couch_stats:increment_counter([couchdb, httpd, view_reads]),
     design_doc_view(Req, Db, DDoc, ViewName, undefined);
 handle_view_req(#httpd{method='POST'}=Req, Db, DDoc) ->
+    chttpd:validate_ctype(Req, "application/json"),
     [_, _, _, _, ViewName] = Req#httpd.path_parts,
     Props = chttpd:json_body_obj(Req),
     Keys = couch_mrview_util:get_view_keys(Props),
@@ -136,7 +141,7 @@ handle_view_req(Req, _Db, _DDoc) ->
 
 
 handle_temp_view_req(#httpd{method='POST'}=Req, Db) ->
-    couch_httpd:validate_ctype(Req, "application/json"),
+    chttpd:validate_ctype(Req, "application/json"),
     ok = couch_db:check_is_admin(Db),
     {Body} = chttpd:json_body_obj(Req),
     DDoc = couch_mrview_util:temp_view_to_ddoc({Body}),
@@ -159,8 +164,8 @@ handle_info_req(Req, _Db, _DDoc) ->
 
 
 handle_compact_req(#httpd{method='POST'}=Req, Db, DDoc) ->
+    chttpd:validate_ctype(Req, "application/json"),
     ok = couch_db:check_is_admin(Db),
-    couch_httpd:validate_ctype(Req, "application/json"),
     ok = couch_mrview:compact(Db, DDoc),
     chttpd:send_json(Req, 202, {[{ok, true}]});
 handle_compact_req(Req, _Db, _DDoc) ->
@@ -168,8 +173,8 @@ handle_compact_req(Req, _Db, _DDoc) ->
 
 
 handle_cleanup_req(#httpd{method='POST'}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     ok = couch_db:check_is_admin(Db),
-    couch_httpd:validate_ctype(Req, "application/json"),
     ok = couch_mrview:cleanup(Db),
     chttpd:send_json(Req, 202, {[{ok, true}]});
 handle_cleanup_req(Req, _Db) ->

http://git-wip-us.apache.org/repos/asf/couchdb-couch-mrview/blob/2ec52eb3/src/couch_mrview_show.erl
----------------------------------------------------------------------
diff --git a/src/couch_mrview_show.erl b/src/couch_mrview_show.erl
index 1d67bc9..dcfe22f 100644
--- a/src/couch_mrview_show.erl
+++ b/src/couch_mrview_show.erl
@@ -165,6 +165,7 @@ handle_view_list_req(#httpd{method=Method}=Req, Db, DDoc)
             chttpd:send_error(Req, 404, <<"list_error">>, <<"Bad path.">>)
     end;
 handle_view_list_req(#httpd{method='POST'}=Req, Db, DDoc) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {Props} = chttpd:json_body_obj(Req),
     Keys = proplists:get_value(<<"keys">>, Props),
     case Req#httpd.path_parts of


Mime
View raw message