couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-1607) cookie_authentication_handler does not properly handle AuthSession signatures starting with ":" character(s)
Date Sun, 18 Nov 2012 11:52:58 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499782#comment-13499782
] 

Robert Newson commented on COUCHDB-1607:
----------------------------------------

Nathan, nice sleuthing. If the HashPart (aka _C) begins with a ":" we'll get a verification
failure, the same is true for a HashPart with any two or more consecutive ":"'s, for the same
reason. All because string:tokens silently omits empty tokens, rather than leaving a spacer.
The re:split/2 method fixes that neatly.

The list/binary stuff is annoying but not strictly related.

And here's the difference itself;

string:tokens("User:Time:Foo::Bar",":") -> ["User","Time","Foo","Bar"]
re:split("User:Time:Foo::Bar",":") -> [<<"User">>,<<"Time">>,<<"Foo">>,<<>>,<<"Bar">>]

That's a hash part that, by chance, has two adjacent colon characters. Since it's silently
dropped in the first case, a subsequent join with ":" will not produce the original string.
boom.
                
> cookie_authentication_handler does not properly handle AuthSession signatures starting
with ":" character(s)
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1607
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1607
>             Project: CouchDB
>          Issue Type: Bug
>    Affects Versions: 1.2
>            Reporter: Nathan Vander Wilt
>            Priority: Critical
>
> AuthSession cookies will intermittently "break" — a user will have a perfectly valid
session, but suddenly after their cookie gets refreshed they can randomly get "logged out"
for practical purposes.
> The cause is that Erlang's `string:tokens` behaviour does act as this code expects:
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183
> After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not `["","c","d"]`
but rather `["c","d"]`. So when rejoined, the signature becomes "c:d" instead of the original
":c:d"!
> It appears that using re.split/2 would avoid this problem, but yields a list/array result
containing <<"">> instead of "" types, which string:join does not like. Should
be pretty quick fix though for someone who knows just a bit more of the Erlang way.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message