couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Curt Arnold <carn...@apache.org>
Subject Re: Second call for objections releasing 0.10
Date Sun, 20 Sep 2009 23:51:47 GMT

On Sep 20, 2009, at 4:48 PM, Chris Anderson wrote:
>
> That's the sort of thing that'd get backported for 0.10.1 anyway, so I
> don't think it's a blocker. Also, probably a fairly easy patch.
>
> Chris
>


COUCHDB-345 seemed to get no attention in the last call for objections  
(other than the fix to a unit test that would break if a patch were  
applied).

I believe the problem addressed in the issue that makes every CouchDB  
installation that allows untrusted users to write to the database  
vulnerable.  Also, as far as I know there is not a simple procedure to  
recover a CouchDB that has been wedged by a malicious or unintentional  
insert of a malencoded document.

No one has objected to the badenc1.patch, however I believe the  
performance cost could be reduced by first scanning the incoming byte  
array and only calling xmerl_ucs:from_utf8 on the portion beginning  
with the first byte value >= 0x80.  I'm not confident in my Erlang  
skills yet to think that I know the optimal way of coding that.   
However, I think it would be better to get some fix in than wait for  
an optimal fix.



Mime
View raw message