couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Hilbig (JIRA)" <j...@apache.org>
Subject [jira] Commented: (COUCHDB-759) rewriter should be securely jailed in a single database by default
Date Sun, 23 Jan 2011 11:30:45 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12985296#action_12985296
] 

Martin Hilbig commented on COUCHDB-759:
---------------------------------------

hi,

i would like to see this bug reopend, since the rewriter jail can be easily broken
when there is a rewrite rule with an *. consider this one:

{
    "from": "/doc/*",
    "to": "/../../*",
    "method": "GET"
 }

this rewrite rule provides cross-db access like these (even behind a vhost):

http://vhost.localhost:5984/doc/../../../../../otherdb/docid
http://vhost.localhost:5984/doc/../../../../../_all_dbs

so i propose that either rewrite rules with an asterix in them should be 
considered insecure (and therefore catched by secure_rewrites option) or
(even better) couchdb should forbid requests with to many .. in them.

have fun

> rewriter should be securely jailed in a single database by default
> ------------------------------------------------------------------
>
>                 Key: COUCHDB-759
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-759
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Chris Anderson
>
> This will allow us to isolate databases using vhosts and the browser's single-origin
policy.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message