Return-Path: 
 <user-return-21893-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 51CAFD83F
	for <apmail-couchdb-user-archive@www.apache.org>;
 Wed, 29 Aug 2012 18:37:06 +0000 (UTC)
Received: (qmail 35035 invoked by uid 500); 29 Aug 2012 18:37:04 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 34989 invoked by uid 500); 29 Aug 2012 18:37:04 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 34981 invoked by uid 99); 29 Aug 2012 18:37:04 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Aug 2012 18:37:04 +0000
X-ASF-Spam-Status: No, hits=0.0 required=5.0
	tests=FSL_RCVD_USER,SPF_PASS,WEIRD_PORT
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of paul.joseph.davis@gmail.com
 designates 209.85.223.180 as permitted sender)
Received: from [209.85.223.180] (HELO mail-ie0-f180.google.com)
 (209.85.223.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Aug 2012 18:36:59 +0000
Received: by ieak11 with SMTP id k11so340311iea.11
        for <user@couchdb.apache.org>; Wed, 29 Aug 2012 11:36:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=Cc1Q37CeXatgjsvBRhevs4YvCPpF0zyv5wtEDBeFR64=;
        b=gWR/SUzCvjGvS+5omMGVGIZK1Pia3hdYsuxzswbr3IVCP83ygoCtKmOymuoL/2HoV2
         0Y/KvSMUOXliyRk6MT9G4hAaQFXgdZzqIvEH2Zp7P0FTr+yVquH6TpDHDuVq17L9M05l
         oTVa1qhbRPCvpldgOZDD/uoX9Lc02fVYIZk1hAW2jTCeeg5StYo1PMFpP1+7rCcYqwQe
         8M5CV3pVU+8YvlrM5y0S6LK988fm0WY0r7NQclYxa3psJbpJEjIwam/z65ne51B0g5Ku
         O9RORTMVq8uhoEa6Uk57R92u2q2UtRvyAUV3FQiP0wL+3Wc5dQxf001oGWiAL8CvQUfN
         Ylyw==
Received: by 10.50.220.161 with SMTP id px1mr2936645igc.27.1346265399280; Wed,
 29 Aug 2012 11:36:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.21.157 with HTTP; Wed, 29 Aug 2012 11:35:58 -0700 (PDT)
In-Reply-To: 
 <CALOE=ztuooJ4sken5e3QZS1XGDFpGZ42eTLsp99gjP+isa2gLg@mail.gmail.com>
References: 
 <CALOE=ztuooJ4sken5e3QZS1XGDFpGZ42eTLsp99gjP+isa2gLg@mail.gmail.com>
From: Paul Davis <paul.joseph.davis@gmail.com>
Date: Wed, 29 Aug 2012 13:35:58 -0500
Message-ID: 
 <CAJ_m3YCbF2+H5OAFT036ya1eaz2OkOo2Z1E9hTKRfgnrs9bmcw@mail.gmail.com>
Subject: Re: Possible validation security issue
To: user@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Checked: Checked by ClamAV on apache.org

Check against oldDoc instead of newDoc?

On Wed, Aug 29, 2012 at 1:28 PM, Wordit <wordituk@gmail.com> wrote:
> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
>
> function (newDoc, oldDoc, userCtx) {
>   if (newDoc.author) {
>     if(newDoc.author != userCtx.name) {
>       throw({"forbidden": "You may only update documents with author " +
>         userCtx.name});
>     }
>   }
> }
>
> A user who is *not* newDoc.author will be prevented from updating the
> document when editing. So far so good. However, to get around security
> and edit the document, a user who is not author, only has to change
> the author field to their name. Voila, they can now edit all other
> fields. Works in Futon in two steps, from Curl in one step.
>
> I've been testing this on iriscouch.com, so it's the currently hosted
> version I'm referring to. I first noticed using curl. Something like
> this:
>
> db has two fields.
> author: usera
> text: my wonderful text
>
> The goal is to change field "text" as another user, e.g. "userb".
> userb just has to update the author field from usera to userb:
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"3-456","author":"userb"}' -H "Content-type:
> application/json"
>
> couch returns new _rev:4-567
>
> Now the document belongs to userb, the text field can be updated.
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
> "Content-type: application/json"
>
> Actually, it worked in one go for me to just overwrite the author
> field and change other fields. It didn't require two steps in Curl.
>
> Shouldn't couchdb prevent the author field from being updated? It
> seems this only works with the name of the currently authenticated
> user. You cannot enter just anything into the author field.
>
> Can anyone confirm, and if this is correct, how can the document be secured?
>
> Thanks,
>
> Marcus