couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Shorin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (COUCHDB-1838) Specifying public_fields parameter discloses all user docs
Date Sat, 22 Jun 2013 00:07:20 GMT
Alexander Shorin created COUCHDB-1838:
-----------------------------------------

             Summary: Specifying public_fields parameter discloses all user docs
                 Key: COUCHDB-1838
                 URL: https://issues.apache.org/jira/browse/COUCHDB-1838
             Project: CouchDB
          Issue Type: Bug
            Reporter: Alexander Shorin


When public_fields are specified it's possible to retrieve all available user docs, no matter
does they contains specified public fields or not.

0. Setup some users:

{code}
curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[],
"type":"user", "password": "cba"}'  -H "Content-Type: application/json"  
curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[],
"type":"user", "password": "fed"}'  -H "Content-Type: application/json" 
{code}

1. Check the old behavior without public_fields:

{code}
curl -v http://abc:cba@localhost:5984/_users/_all_docs

HTTP/1.1 403 Forbidden
Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
Date: Fri, 21 Jun 2013 23:12:13 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 87
Cache-Control: must-revalidate

{"error":"forbidden","reason":"Only admins can access _all_docs of system databases."}
{code}

2. Specify some public fields that no one actually has:

{code}
curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"no_user_will_never_has_ziz_field_in_his_doc"'
-H "Content-Type: application/json" --user couch_admin
{code}

3. Try step 1 one more time:

{code}
curl -v http://abc:cba@localhost:5984/_users/_all_docs

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
Date: Fri, 21 Jun 2013 23:15:05 GMT
Content-Type: text/plain; charset=utf-8
Cache-Control: must-revalidate

{"total_rows":6,"offset":0,"rows":[
{"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
{"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
{"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
{"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
{"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
{"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
]}
{code}

Same for anonymous user:

{code}
curl -v http://localhost:5984/_users/_all_docs

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
Date: Sat, 22 Jun 2013 00:04:17 GMT
Content-Type: text/plain; charset=utf-8
Cache-Control: must-revalidate

{"total_rows":6,"offset":0,"rows":[
{"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
{"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
{"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
{"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
{"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
{"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
]}
{code}

The problem is that with specified public_fields it's possible to retrieve all user's names
no matter has their public field or not. This behaviour a bit violates implemented [System
Database Security|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=e5503ff]:

[CouchDB 1.2.0 release notes|https://blogs.apache.org/couchdb/entry/apache_couchdb_1_2_0]:

{quote}
Documents in the _users database can no longer be read by everyone

Documents in the _users databases can now only be read by the respective authenticated user
and administrators. Before, all docs were world-readable including their password hashes and
salts.
{quote}

[Security Features Overview|http://wiki.apache.org/couchdb/Security_Features_Overview#Authentication%20database]:
{quote}
In addition, the _users database is now treated different from other databases:

    An anonymous user can only create a new document.
    An authenticated user can only update their own document.
    A server or database admin can access and update all documents.

    Only server or database admins can create design documents and access views and _all_docs
and _changes. 
{quote}


Expected behaviour when `public_fields` specified:

`_all_docs` should returns only those user docs, that are actually contains public fields.
Users that has no such fields has nothing to publish. If user doc has public fields it shouldn't
be mentioned in `_all_docs` response.



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message