From commits-return-32302-archive-asf-public=cust-asf.ponee.io@couchdb.apache.org Sat Mar 3 02:39:48 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id B1002180671 for ; Sat, 3 Mar 2018 02:39:47 +0100 (CET) Received: (qmail 19504 invoked by uid 500); 3 Mar 2018 01:39:46 -0000 Mailing-List: contact commits-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list commits@couchdb.apache.org Received: (qmail 19494 invoked by uid 99); 3 Mar 2018 01:39:46 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Mar 2018 01:39:46 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 05DBF828EC; Sat, 3 Mar 2018 01:39:45 +0000 (UTC) Date: Sat, 03 Mar 2018 01:39:46 +0000 To: "commits@couchdb.apache.org" Subject: [couchdb] 01/01: Prevent access to Fauxton on node-local port (5986) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit From: wohali@apache.org In-Reply-To: <152004118581.16668.10471624969222116650@gitbox.apache.org> References: <152004118581.16668.10471624969222116650@gitbox.apache.org> X-Git-Host: gitbox.apache.org X-Git-Repo: couchdb X-Git-Refname: refs/heads/1198-no-5986-fauxton X-Git-Reftype: branch X-Git-Rev: 2b2c8add41147a2e86e04ad57805ca8e5d77472a X-Git-NotificationType: diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated Message-Id: <20180303013946.05DBF828EC@gitbox.apache.org> This is an automated email from the ASF dual-hosted git repository. wohali pushed a commit to branch 1198-no-5986-fauxton in repository https://gitbox.apache.org/repos/asf/couchdb.git commit 2b2c8add41147a2e86e04ad57805ca8e5d77472a Author: Joan Touzet AuthorDate: Fri Mar 2 19:12:56 2018 -0500 Prevent access to Fauxton on node-local port (5986) Will help stop people shooting themselves in the foot and/or using node-local CouchDB as their "main" CouchDB port. Closes #1198 --- src/couch/src/couch_httpd_misc_handlers.erl | 17 +----- src/couch/test/couchdb_csp_tests.erl | 82 ----------------------------- src/couch/test/couchdb_vhosts_tests.erl | 25 --------- 3 files changed, 2 insertions(+), 122 deletions(-) diff --git a/src/couch/src/couch_httpd_misc_handlers.erl b/src/couch/src/couch_httpd_misc_handlers.erl index ddc3d64..51dc2be 100644 --- a/src/couch/src/couch_httpd_misc_handlers.erl +++ b/src/couch/src/couch_httpd_misc_handlers.erl @@ -61,22 +61,9 @@ handle_file_req(#httpd{method='GET'}=Req, Document) -> handle_file_req(Req, _) -> send_method_not_allowed(Req, "GET,HEAD"). -handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) -> - "/" ++ UrlPath = couch_httpd:path(Req), - case couch_httpd:partition(UrlPath) of - {_ActionKey, "/", RelativePath} -> - % GET /_utils/path or GET /_utils/ - CachingHeaders = [{"Cache-Control", "private, must-revalidate"}], - EnableCsp = config:get("csp", "enable", "false"), - Headers = maybe_add_csp_headers(CachingHeaders, EnableCsp), - couch_httpd:serve_file(Req, RelativePath, DocumentRoot, Headers); - {_ActionKey, "", _RelativePath} -> - % GET /_utils - RedirectPath = couch_httpd:path(Req) ++ "/", - couch_httpd:send_redirect(Req, RedirectPath) - end; handle_utils_dir_req(Req, _) -> - send_method_not_allowed(Req, "GET,HEAD"). + send_error(Req, 410, <<"no_node_local_fauxton">>, + ?l2b("The web interface is no longer available on the node-local port.")). maybe_add_csp_headers(Headers, "true") -> DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; " diff --git a/src/couch/test/couchdb_csp_tests.erl b/src/couch/test/couchdb_csp_tests.erl deleted file mode 100644 index 5eb33f9..0000000 --- a/src/couch/test/couchdb_csp_tests.erl +++ /dev/null @@ -1,82 +0,0 @@ -% Licensed under the Apache License, Version 2.0 (the "License"); you may not -% use this file except in compliance with the License. You may obtain a copy of -% the License at -% -% http://www.apache.org/licenses/LICENSE-2.0 -% -% Unless required by applicable law or agreed to in writing, software -% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -% License for the specific language governing permissions and limitations under -% the License. - --module(couchdb_csp_tests). - --include_lib("couch/include/couch_eunit.hrl"). - --define(TIMEOUT, 1000). - - -setup() -> - ok = config:set("csp", "enable", "true", false), - Addr = config:get("httpd", "bind_address", "127.0.0.1"), - Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)), - lists:concat(["http://", Addr, ":", Port, "/_utils/"]). - -teardown(_) -> - ok. - - -csp_test_() -> - { - "Content Security Policy tests", - { - setup, - fun test_util:start_couch/0, fun test_util:stop_couch/1, - { - foreach, - fun setup/0, fun teardown/1, - [ - fun should_not_return_any_csp_headers_when_disabled/1, - fun should_apply_default_policy/1, - fun should_return_custom_policy/1, - fun should_only_enable_csp_when_true/1 - ] - } - } - }. - - -should_not_return_any_csp_headers_when_disabled(Url) -> - ?_assertEqual(undefined, - begin - ok = config:set("csp", "enable", "false", false), - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). - -should_apply_default_policy(Url) -> - ?_assertEqual( - "default-src 'self'; img-src 'self' data:; font-src 'self'; " - "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", - begin - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). - -should_return_custom_policy(Url) -> - ?_assertEqual("default-src 'http://example.com';", - begin - ok = config:set("csp", "header_value", - "default-src 'http://example.com';", false), - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). - -should_only_enable_csp_when_true(Url) -> - ?_assertEqual(undefined, - begin - ok = config:set("csp", "enable", "tru", false), - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). diff --git a/src/couch/test/couchdb_vhosts_tests.erl b/src/couch/test/couchdb_vhosts_tests.erl index dfac73c..2562a06 100644 --- a/src/couch/test/couchdb_vhosts_tests.erl +++ b/src/couch/test/couchdb_vhosts_tests.erl @@ -46,14 +46,6 @@ setup() -> couch_db:ensure_full_commit(Db), couch_db:close(Db), - test_util:with_process_restart(couch_httpd, fun() -> - config:set("httpd_global_handlers", "_utils", - "{couch_httpd_misc_handlers, handle_utils_dir_req, <<\"" - ++ ?TEMPDIR - ++ "\">>}" - ) - end), - Addr = config:get("httpd", "bind_address", "127.0.0.1"), Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)), Url = "http://" ++ Addr ++ ":" ++ Port, @@ -76,7 +68,6 @@ vhosts_test_() -> [ fun should_return_database_info/1, fun should_return_revs_info/1, - fun should_serve_utils_for_vhost/1, fun should_return_virtual_request_path_field_in_request/1, fun should_return_real_request_path_field_in_request/1, fun should_match_wildcard_vhost/1, @@ -122,22 +113,6 @@ should_return_revs_info({Url, DbName}) -> end end). -should_serve_utils_for_vhost({Url, DbName}) -> - ?_test(begin - ok = config:set("vhosts", "example.com", "/" ++ DbName, false), - ensure_index_file(), - case test_request:get(Url ++ "/_utils/index.html", [], - [{host_header, "example.com"}]) of - {ok, _, _, Body} -> - ?assertMatch(<<"", _/binary>>, Body); - Else -> - erlang:error({assertion_failed, - [{module, ?MODULE}, - {line, ?LINE}, - {reason, ?iofmt("Request failed: ~p", [Else])}]}) - end - end). - should_return_virtual_request_path_field_in_request({Url, DbName}) -> ?_test(begin ok = config:set("vhosts", "example1.com", -- To stop receiving notification emails like this one, please contact wohali@apache.org.