From dev-return-18949-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Sun Oct 30 18:49:46 2011 Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 92E5B74FA for ; Sun, 30 Oct 2011 18:49:46 +0000 (UTC) Received: (qmail 46777 invoked by uid 500); 30 Oct 2011 18:49:46 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 46741 invoked by uid 500); 30 Oct 2011 18:49:46 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 46733 invoked by uid 99); 30 Oct 2011 18:49:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 30 Oct 2011 18:49:46 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of nslater@tumbolia.org designates 209.85.214.52 as permitted sender) Received: from [209.85.214.52] (HELO mail-bw0-f52.google.com) (209.85.214.52) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 30 Oct 2011 18:49:39 +0000 Received: by bkbc12 with SMTP id c12so3243790bkb.11 for ; Sun, 30 Oct 2011 11:49:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tumbolia.org; s=google; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=GFL0OizpPr9F1f1jXsa2ctVTRrhndQFm8YNXbH1iV6o=; b=YmF+8p0PWfTdStbnMzGsIkcg0jq+7bmQo0E7w1d/k+Q8E0c3O7/Tnfyujt2pqu/huc euP2KXAzIf6rrqJ+SVkwcSZUyxgdKReMTLZNnucDZL0h40M8mDwuKYALgVsDFTtVaL6X vrVJQ2qrFh1H6Q6WpkZSm3jslIjyZY5h/NqXI= MIME-Version: 1.0 Received: by 10.204.9.205 with SMTP id m13mr8313236bkm.32.1320000558216; Sun, 30 Oct 2011 11:49:18 -0700 (PDT) Received: by 10.204.40.195 with HTTP; Sun, 30 Oct 2011 11:49:18 -0700 (PDT) X-Originating-IP: [87.198.113.211] In-Reply-To: <20111030163956.C945B54867@tyr.zones.apache.org> References: <20111030163956.C945B54867@tyr.zones.apache.org> Date: Sun, 30 Oct 2011 18:49:18 +0000 Message-ID: Subject: Re: git commit: Allow POST to _log. From: Noah Slater To: dev@couchdb.apache.org Content-Type: multipart/alternative; boundary=0015175caebe6036de04b0889406 --0015175caebe6036de04b0889406 Content-Type: text/plain; charset=ISO-8859-1 Doesn't this allow malicious user agents to craft spoofed log entries for CouchDB? You could make it look like something very serious was happening, causing the CouchDB admin to take measures that harm the server or the data it contains. If we're going to do this at all (and I am not sure I see a valid use case here) then the message should be prefixed with a big fat notice that it's user generated. On Sun, Oct 30, 2011 at 4:39 PM, wrote: > Updated Branches: > refs/heads/master f94530da9 -> 6cffccdfe > > > Allow POST to _log. > > POST /_log {"level":"info|debug|error", "message":"your message here"} > > Patch by Robert Newson. > > Closes COUCHDB-464 > > > Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo > Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/6cffccdf > Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/6cffccdf > Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/6cffccdf > > Branch: refs/heads/master > Commit: 6cffccdfe08e6d859cc7e83be3bcc521bf68fd5a > Parents: f94530d > Author: Jan Lehnardt > Authored: Sun Oct 30 17:38:18 2011 +0100 > Committer: Jan Lehnardt > Committed: Sun Oct 30 17:38:18 2011 +0100 > > ---------------------------------------------------------------------- > src/couchdb/couch_httpd_misc_handlers.erl | 21 ++++++++++++++++++--- > 1 files changed, 18 insertions(+), 3 deletions(-) > ---------------------------------------------------------------------- > > > > http://git-wip-us.apache.org/repos/asf/couchdb/blob/6cffccdf/src/couchdb/couch_httpd_misc_handlers.erl > ---------------------------------------------------------------------- > diff --git a/src/couchdb/couch_httpd_misc_handlers.erl > b/src/couchdb/couch_httpd_misc_handlers.erl > index 8abf0aa..ae6ffe3 100644 > --- a/src/couchdb/couch_httpd_misc_handlers.erl > +++ b/src/couchdb/couch_httpd_misc_handlers.erl > @@ -254,7 +254,22 @@ handle_log_req(#httpd{method='GET'}=Req) -> > ]), > send_chunk(Resp, Chunk), > last_chunk(Resp); > +handle_log_req(#httpd{method='POST'}=Req) -> > + {PostBody} = couch_httpd:json_body_obj(Req), > + Level = couch_util:get_value(<<"level">>, PostBody), > + Message = ?b2l(couch_util:get_value(<<"message">>, PostBody)), > + case Level of > + <<"debug">> -> > + ?LOG_DEBUG(Message, []), > + send_json(Req, 200, {[{ok, true}]}); > + <<"info">> -> > + ?LOG_INFO(Message, []), > + send_json(Req, 200, {[{ok, true}]}); > + <<"error">> -> > + ?LOG_ERROR(Message, []), > + send_json(Req, 200, {[{ok, true}]}); > + _ -> > + send_json(Req, 400, {[{error, ?l2b(io_lib:format("Unrecognized > log level '~s'", [Level]))}]}) > + end; > handle_log_req(Req) -> > - send_method_not_allowed(Req, "GET"). > - > - > + send_method_not_allowed(Req, "GET,POST"). > > --0015175caebe6036de04b0889406--