couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject docids starting with underscore
Date Tue, 03 Feb 2009 21:24:43 GMT
I'm not sure if this is a bug, or simply a case of "don't do that"!

{"couchdb":"Welcome","version":"0.9.0a739811-incubating"}

I see it is possible to create documents with IDs starting with an
underscore, such as _view, using the _bulk_docs API

$ curl -X POST -d '{"docs":[{"_id":"_view","foo":"bar"}]}'
http://localhost:5984/test_suite_db/_bulk_docs; echo
{"ok":true,"new_revs":[{"id":"_view","rev":"3737122827"}]}

[Aside: use of "id" and "_id" doesn't appear to be consistent, but that's a
separate discussion]

If you then try to retrieve this document using the normal GET API, it barfs
a 405 error (not surprisingly, since dbname/_view has a special meaning)

However it is still possible to retrieve it using multi document fetch:

$ curl 'http://localhost:5984/test_suite_db/_all_docs?key="_view"&include_docs=true'
{"total_rows":10,"offset":3,"rows":[
{"id":"_view","key":"_view","value":{"rev":"3737122827"},
"doc":{"_id":"_view","_rev":"3737122827","foo":"bar"}}
]}

I wonder if there is any value in the server restricting the docid?

However even if it did, it's still up to application writers to be careful
of this, especially if one document refers to another. E.g. if a malicious
client writes

   "customer_id":"_external/foo/bar"

into an invoice record, then it may make another client perform requests
with unforeseen side effects when looking up the 'customer' for this
invoice.

So at least, perhaps the client-side API libraries ought to forbid docids
which begin with underscore, even if the underlying database doesn't.

Anyway, just a thought. (I came across this issue when modifying a Rails app
to use /things/name instead of /things/id - which is easily done using
to_param. I then had an ambiguity as to whether /things/new was an
individual thing, or an action on the collection of things!)

Regards,

Brian.

Mime
View raw message