Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 15309 invoked from network); 21 Feb 2010 15:37:59 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 21 Feb 2010 15:37:59 -0000 Received: (qmail 43649 invoked by uid 500); 21 Feb 2010 15:37:58 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 43556 invoked by uid 500); 21 Feb 2010 15:37:58 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 43546 invoked by uid 99); 21 Feb 2010 15:37:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 Feb 2010 15:37:58 +0000 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=RCVD_IN_BL_SPAMCOP_NET,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [217.110.7.51] (HELO mail.sourcegarden.de) (217.110.7.51) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 Feb 2010 15:37:48 +0000 Received: from [10.148.234.83] (tmo-105-163.customers.d1-online.com [80.187.105.163]) by mail.sourcegarden.de (Postfix) with ESMTP id 7B0771F76A9 for ; Sun, 21 Feb 2010 16:37:19 +0100 (CET) Message-Id: <3EA60144-DCE0-432C-BF2C-F1A118A5CCAB@sourcegarden.de> From: Mario Scheliga To: dev@couchdb.apache.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Subject: Authorization on Server Handlers Date: Sun, 21 Feb 2010 16:37:17 +0100 X-Mailer: Apple Mail (2.936) X-rccsoftware-MailScanner-Information: Please contact the ISP for more information X-rccsoftware-MailScanner-ID: 7B0771F76A9.ED1AF X-rccsoftware-MailScanner: Found to be clean X-rccsoftware-MailScanner-SpamCheck: not spam, SpamAssassin (nicht zwischen gespeichert, Wertung=3.918, benoetigt 6, BAYES_00 -2.60, RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_PBL 0.91, RCVD_IN_SORBS_WEB 0.62, RCVD_IN_XBL 3.03) X-rccsoftware-MailScanner-SpamScore: sss X-rccsoftware-MailScanner-From: mario@sourcegarden.de X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No Dear Devs, i was playing around with CouchDB 0.10.0 and i was wondering, why its possible to trigger compaction unauthorized, i am also able to view _log. i am not ready yet, just testing other handlers too. Alltogether i think thats a Security Issue or there a reason for this, i do not know? Just take a look at http://jchrisa.net/_log ;-) I think these Informations should be hidden for Guest-Users. I am going to learn Erlang in the next couple of days,weeks, month but for now i could not provide a patch for this. Chris guess this would be a simple One-Line Patch with check_is_admin. I think i can do this next week. what do you think? thx alot. mario -- Sourcegarden GmbH HR: B-104357 Steuernummer: 37/167/21214 USt-ID: DE814784953 Geschaeftsfuehrer: Mario Scheliga, Rene Otto Bank: Deutsche Bank, BLZ: 10070024, KTO: 0810929 Schoenhauser Allee 51, 10437 Berlin