Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 31698 invoked from network); 18 Jul 2010 17:26:45 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 18 Jul 2010 17:26:45 -0000 Received: (qmail 75794 invoked by uid 500); 18 Jul 2010 17:26:45 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 75691 invoked by uid 500); 18 Jul 2010 17:26:44 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 75683 invoked by uid 99); 18 Jul 2010 17:26:43 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 18 Jul 2010 17:26:43 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED,NORMAL_HTTP_TO_IP,WEIRD_PORT X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 18 Jul 2010 17:26:41 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o6IHInf1029166 for ; Sun, 18 Jul 2010 17:18:50 GMT Message-ID: <16373746.441871279473529786.JavaMail.jira@thor> Date: Sun, 18 Jul 2010 13:18:49 -0400 (EDT) From: "Jason Smith (JIRA)" To: dev@couchdb.apache.org Subject: [jira] Created: (COUCHDB-829) Denial of Service vulnerability in rewriter MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org Denial of Service vulnerability in rewriter ------------------------------------------- Key: COUCHDB-829 URL: https://issues.apache.org/jira/browse/COUCHDB-829 Project: CouchDB Issue Type: Bug Components: Database Core Affects Versions: 1.0 Environment: CouchDB trunk, erl R13B04 Reporter: Jason Smith Untrusted, unsanitized user input should not be converted to atoms because it allows the user to fill up the atom table in the VM, wasting memory and eventually causing a couchdb crash. If rewriting is enabled (which it is by default), and if an attacker knows a database and ddoc name (even if the ddoc has no _rewrite rules), the attacker can permanently enter atoms into system. I have not exhaustively audited couch_httpd_rewrite.erl but for instance handle_rewrite_req/3 converts all URL query keys to atoms. [info] [<0.38.0>] Apache CouchDB has started on http://0.0.0.0:5984/ 1> erlang:list_to_existing_atom("do_i_exist"). ** exception error: bad argument in function list_to_existing_atom/1 called as list_to_existing_atom("do_i_exist") $ curl -X PUT localhost:5984/ex {"ok":true} $ curl -X PUT localhost:5984/ex/_design/ex -d {} {"ok":true,"id":"_design/ex","rev":"1-967a00dff5e02add41819138abb3284d"} $ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah {"error":"rewrite_error","reason":"Invalid path."} 2> [info] [<0.109.0>] 127.0.0.1 - - 'GET' /ex/_design/ex/_rewrite?do_i_exist=blah 404 2> erlang:list_to_existing_atom("do_i_exist"). do_i_exist -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.