couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <nsla...@tumbolia.org>
Subject Re: git commit: Allow POST to _log.
Date Sun, 30 Oct 2011 18:49:18 GMT
Doesn't this allow malicious user agents to craft spoofed log entries for
CouchDB? You could make it look like something very serious was happening,
causing the CouchDB admin to take measures that harm the server or the data
it contains. If we're going to do this at all (and I am not sure I see a
valid use case here) then the message should be prefixed with a big fat
notice that it's user generated.

On Sun, Oct 30, 2011 at 4:39 PM, <jan@apache.org> wrote:

> Updated Branches:
>  refs/heads/master f94530da9 -> 6cffccdfe
>
>
> Allow POST to _log.
>
> POST /_log {"level":"info|debug|error", "message":"your message here"}
>
> Patch by Robert Newson.
>
> Closes COUCHDB-464
>
>
> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/6cffccdf
> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/6cffccdf
> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/6cffccdf
>
> Branch: refs/heads/master
> Commit: 6cffccdfe08e6d859cc7e83be3bcc521bf68fd5a
> Parents: f94530d
> Author: Jan Lehnardt <jan@apache.org>
> Authored: Sun Oct 30 17:38:18 2011 +0100
> Committer: Jan Lehnardt <jan@apache.org>
> Committed: Sun Oct 30 17:38:18 2011 +0100
>
> ----------------------------------------------------------------------
>  src/couchdb/couch_httpd_misc_handlers.erl |   21 ++++++++++++++++++---
>  1 files changed, 18 insertions(+), 3 deletions(-)
> ----------------------------------------------------------------------
>
>
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/6cffccdf/src/couchdb/couch_httpd_misc_handlers.erl
> ----------------------------------------------------------------------
> diff --git a/src/couchdb/couch_httpd_misc_handlers.erl
> b/src/couchdb/couch_httpd_misc_handlers.erl
> index 8abf0aa..ae6ffe3 100644
> --- a/src/couchdb/couch_httpd_misc_handlers.erl
> +++ b/src/couchdb/couch_httpd_misc_handlers.erl
> @@ -254,7 +254,22 @@ handle_log_req(#httpd{method='GET'}=Req) ->
>     ]),
>     send_chunk(Resp, Chunk),
>     last_chunk(Resp);
> +handle_log_req(#httpd{method='POST'}=Req) ->
> +    {PostBody} = couch_httpd:json_body_obj(Req),
> +    Level = couch_util:get_value(<<"level">>, PostBody),
> +    Message = ?b2l(couch_util:get_value(<<"message">>, PostBody)),
> +    case Level of
> +    <<"debug">> ->
> +        ?LOG_DEBUG(Message, []),
> +        send_json(Req, 200, {[{ok, true}]});
> +    <<"info">> ->
> +        ?LOG_INFO(Message, []),
> +        send_json(Req, 200, {[{ok, true}]});
> +    <<"error">> ->
> +        ?LOG_ERROR(Message, []),
> +        send_json(Req, 200, {[{ok, true}]});
> +    _ ->
> +        send_json(Req, 400, {[{error, ?l2b(io_lib:format("Unrecognized
> log level '~s'", [Level]))}]})
> +    end;
>  handle_log_req(Req) ->
> -    send_method_not_allowed(Req, "GET").
> -
> -
> +    send_method_not_allowed(Req, "GET,POST").
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message