Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0085A111E5 for ; Sun, 6 Apr 2014 16:50:18 +0000 (UTC) Received: (qmail 41659 invoked by uid 500); 6 Apr 2014 16:50:16 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 41582 invoked by uid 500); 6 Apr 2014 16:50:15 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 41571 invoked by uid 99); 6 Apr 2014 16:50:15 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 Apr 2014 16:50:15 +0000 Date: Sun, 6 Apr 2014 16:50:15 +0000 (UTC) From: "Robert Newson (JIRA)" To: dev@couchdb.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (COUCHDB-2221) _users doc iterations field as string value (pbkdf2) hangs forever MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/COUCHDB-2221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13961457#comment-13961457 ] Robert Newson commented on COUCHDB-2221: ---------------------------------------- Reading #couchdb backchannel, [~isaacs] says he has a custom validate_doc_update function anyway, so the backport is unnecessary (there's no plan to do a 1.5.2 release afaik). My suggestion is to change the auth module to fail better on bad input or a full try/catch around the parsing of these functions, falling back to a sane default. The patch shown will only handle this kind of error ("10" instead of 10) and not others (if iterations was "hello" or [1,2,3] or true or {}). > _users doc iterations field as string value (pbkdf2) hangs forever > ------------------------------------------------------------------ > > Key: COUCHDB-2221 > URL: https://issues.apache.org/jira/browse/COUCHDB-2221 > Project: CouchDB > Issue Type: Bug > Security Level: public(Regular issues) > Components: Database Core > Reporter: Isaac Z. Schlueter > Assignee: Joan Touzet > > Create a user account with the following details: > { > "_id":"org.couchdb.user:test-user", > "name":"test-user", > "password":"this is a test" > "roles":[], > "type":"user" > } > CouchDB will PBKDF2-ify the password in the _users doc. So far so good. > Then, try this: > ubuntu@ip-172-31-35-228:~$ curl http://localhost:5984/_users/org.couchdb.user:test-user -u "test-user:this is not the correct password" -vvv > * About to connect() to localhost port 5984 (#0) > * Trying 127.0.0.1... connected > * Server auth using Basic with user 'test-user' > > GET /_users/org.couchdb.user:test-user HTTP/1.1 > > Authorization: Basic dGVzdHVzZXI6dGhpcyBpcyBub3QgdGhlIGNvcnJlY3QgcGFzc3dvcmQ= > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > > Host: localhost:15984 > > Accept: */* > > > And then it hangs indefinitely. > This does not happen when the user account uses password_sha. For example: > ubuntu@ip-172-31-35-228:~$ curl http://localhost:15984/_users/org.couchdb.user:testuserasdf -u "testuserasdf:this is not the correct password" -vvv > * About to connect() to localhost port 15984 (#0) > * Trying 127.0.0.1... connected > * Server auth using Basic with user 'testuserasdf' > > GET /_users/org.couchdb.user:testuserasdf HTTP/1.1 > > Authorization: Basic dGVzdHVzZXJhc2RmOnRoaXMgaXMgbm90IHRoZSBjb3JyZWN0IHBhc3N3b3Jk > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > > Host: localhost:15984 > > Accept: */* > > > < HTTP/1.1 401 Unauthorized > < Server: CouchDB/1.5.0 (Erlang OTP/R14B04) > < Date: Sat, 05 Apr 2014 22:58:54 GMT > < Content-Type: text/plain; charset=utf-8 > < Content-Length: 67 > < Cache-Control: must-revalidate > < > {"error":"unauthorized","reason":"Name or password is incorrect."} > * Connection #0 to host localhost left intact > * Closing connection #0 > This is a serious and urgent problem for npm. > At the urging of many people in the CouchDB and Node.js community, we've been migrating users to pbkdf2 accounts. However, rather than quickly report authorization failures, it hangs indefinitely, and eventually our TLS terminator returns a 500 or our CDN returns a 503. > Because the appropriate HTTP response code is not being returned, we cannot hope to properly handle the situation. It looks like the server has just fallen over. Already the user experience has started to get pretty awful. > What's worse, I fear that this is a DOS exploit, because it ties up a connection for a very long time. The npm registry is somewhat insulated by our CDN, but any CouchDB using pbkdf2 password storage is vulnerable. -- This message was sent by Atlassian JIRA (v6.2#6252)