couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ed Finkler" <funkat...@gmail.com>
Subject Re: Security via probability
Date Wed, 08 Oct 2008 00:29:18 GMT
It really depends on the nature of the data and such, but in general
I'd be pretty wary of doing such a thing for a write action. Might be
okay for a read if the data isn't terribly sensitive.

--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron


On Tue, Oct 7, 2008 at 7:35 PM, Paul Carey <paul.p.carey@gmail.com> wrote:
> My webapp PUTs data to a url like /controller/couchdb_db_doc_id. The
> associated action currently performs no security checks. Specifically,
> it doesn't ensure that the user making the PUT request and modifying
> the data actually owns the associated document.
>
> Given a uuid as a doc id, the chances of guessing a doc id are very
> low indeed; successfully guessing a typical user's password would be
> much easier. In order for an attack to be successful the attacker
> would have to first guess a document id - extremely unlikely. This
> leads me to believe that I don't *need* to perform any security checks
> when modifying a document as described above. Any thoughts to the
> contrary?
>
> Cheers
>
> Paul
>

Mime
View raw message