couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew King" <automatt...@gmail.com>
Subject Re: Security via probability
Date Tue, 07 Oct 2008 23:54:44 GMT
Block requests to the all docs query, and you have the beginnings of a
capability system.

On Tue, Oct 7, 2008 at 6:42 PM, Jeremy Wall <jwall@google.com> wrote:
> This assumes that the user has to guess. If the user gets the docif
> via some other means, say by the all docs query built in to couchdb
> then h doesn't have to guess.
>
>
>
> On 10/7/08, Paul Carey <paul.p.carey@gmail.com> wrote:
>> My webapp PUTs data to a url like /controller/couchdb_db_doc_id. The
>> associated action currently performs no security checks. Specifically,
>> it doesn't ensure that the user making the PUT request and modifying
>> the data actually owns the associated document.
>>
>> Given a uuid as a doc id, the chances of guessing a doc id are very
>> low indeed; successfully guessing a typical user's password would be
>> much easier. In order for an attack to be successful the attacker
>> would have to first guess a document id - extremely unlikely. This
>> leads me to believe that I don't *need* to perform any security checks
>> when modifying a document as described above. Any thoughts to the
>> contrary?
>>
>> Cheers
>>
>> Paul
>>
>
> --
> Sent from my mobile device
>

Mime
View raw message