couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Curt Arnold <carn...@apache.org>
Subject Re: Second call for objections releasing 0.10
Date Mon, 21 Sep 2009 14:08:02 GMT

On Sep 20, 2009, at 8:06 AM, Noah Slater wrote:

> Hey,
>
> I've been following the first thread, but am unsure where we all  
> stand. This is
> my second call for objections following our previous discussion. Do  
> we all feel
> ready to prepare and vote on the 0.10 release now?
>
> Thanks,
>
> -- 
> Noah Slater, http://tumbolia.org/nslater


The "invalid json allowed into CouchDB" thread on user@couchdb.apache.org 
  appears to offer a means of gaming a system to place data in a  
document that would be seen by CouchDB, but could be hidden from  
clients.

I think the issue needs to be resolved before cutting 0.10.  It does  
appear to be a security issue, but one which the resolution could  
negatively impact some fraction of apps that depended on the  
behavior.  If we address it before 0.10, we could just reject the  
document as invalid.  As a security patch in a 0.10.1 or so, we may  
feel compelled to try to merge the data to preserve the rare app that  
depended on the function.

My initial opinion is that any document with multiple occurrences of a  
property should be rejected and it could just be weaved into the patch  
for COUCHDB-345.

Mime
View raw message