couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mario Scheliga <ma...@sourcegarden.de>
Subject Authorization on Server Handlers
Date Sun, 21 Feb 2010 15:37:17 GMT
Dear Devs,

i was playing around with CouchDB 0.10.0 and i was wondering, why its  
possible to
trigger compaction unauthorized, i am also able to view _log. i am not  
ready yet, just
testing other handlers too. Alltogether i think thats a Security Issue  
or there a reason for
this, i do not know?

Just take a look at http://jchrisa.net/_log ;-)

I think these Informations should be hidden for Guest-Users. I am  
going to learn Erlang
in the next couple of days,weeks, month but for now i could not  
provide a patch for this.
Chris guess this would be a simple One-Line Patch with check_is_admin.  
I think i can do this
next week.

what do you think?

thx alot.
mario


--
Sourcegarden GmbH HR: B-104357
Steuernummer: 37/167/21214 USt-ID: DE814784953
Geschaeftsfuehrer: Mario Scheliga, Rene Otto
Bank: Deutsche Bank, BLZ: 10070024, KTO: 0810929
Schoenhauser Allee 51, 10437 Berlin


Mime
View raw message