couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kxe...@apache.org
Subject couchdb-mango git commit: validate that all POST requests with json body must have also have valid json header: {"Content-Type": "application/json"} This ensures a basic protection against CSRF
Date Sat, 17 Oct 2015 21:46:26 GMT
Repository: couchdb-mango
Updated Branches:
  refs/heads/master 0dd2000f6 -> 0cc0fb8d2


validate that all POST requests with json body must have also have valid
json header: {"Content-Type": "application/json"}
This ensures a basic protection against CSRF

JIRA: COUCHDB-2775


Project: http://git-wip-us.apache.org/repos/asf/couchdb-mango/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mango/commit/0cc0fb8d
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mango/tree/0cc0fb8d
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mango/diff/0cc0fb8d

Branch: refs/heads/master
Commit: 0cc0fb8d2c2e04a4df5a1e7deb198abc78266a97
Parents: 0dd2000
Author: Mayya Sharipova <mayyas@ca.ibm.com>
Authored: Fri Oct 16 15:29:16 2015 -0400
Committer: Mayya Sharipova <mayyas@ca.ibm.com>
Committed: Fri Oct 16 15:29:16 2015 -0400

----------------------------------------------------------------------
 src/mango_httpd.erl | 4 ++++
 1 file changed, 4 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-mango/blob/0cc0fb8d/src/mango_httpd.erl
----------------------------------------------------------------------
diff --git a/src/mango_httpd.erl b/src/mango_httpd.erl
index ef83bda..9e56be9 100644
--- a/src/mango_httpd.erl
+++ b/src/mango_httpd.erl
@@ -81,6 +81,7 @@ handle_index_req(#httpd{method='GET', path_parts=[_, _]}=Req, Db) ->
 	chttpd:send_json(Req, {[{total_rows, TotalRows}, {indexes, JsonIdxs}]});
 
 handle_index_req(#httpd{method='POST', path_parts=[_, _]}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {ok, Opts} = mango_opts:validate_idx_create(chttpd:json_body_obj(Req)),
     {ok, Idx0} = mango_idx:new(Db, Opts),
     {ok, Idx} = mango_idx:validate_new(Idx0),
@@ -111,6 +112,7 @@ handle_index_req(#httpd{method='POST', path_parts=[_, _]}=Req, Db) ->
 %% deleted, but an error will be thrown for the current ddoc id.
 handle_index_req(#httpd{method='POST', path_parts=[_, <<"_index">>,
         <<"_bulk_delete">>]}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {ok, Opts} = mango_opts:validate_bulk_delete(chttpd:json_body_obj(Req)),
     Idxs = mango_idx:list(Db),
     DDocs = get_bulk_delete_ddocs(Opts),
@@ -158,6 +160,7 @@ handle_index_req(Req, _Db) ->
 
 
 handle_explain_req(#httpd{method='POST'}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {ok, Opts0} = mango_opts:validate_find(chttpd:json_body_obj(Req)),
     {value, {selector, Sel}, Opts} = lists:keytake(selector, 1, Opts0),
     Resp = mango_crud:explain(Db, Sel, Opts),
@@ -168,6 +171,7 @@ handle_explain_req(Req, _Db) ->
 
 
 handle_find_req(#httpd{method='POST'}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {ok, Opts0} = mango_opts:validate_find(chttpd:json_body_obj(Req)),
     {value, {selector, Sel}, Opts} = lists:keytake(selector, 1, Opts0),
     {ok, Resp0} = start_find_resp(Req),


Mime
View raw message