couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Alfke <j...@couchbase.com>
Subject Re: What's the exact definition of 'oldDoc' in a validation function?
Date Sun, 23 Feb 2014 23:28:22 GMT

On Feb 23, 2014, at 12:09 AM, Benoit Chesneau <bchesneau@gmail.com> wrote:

> OldDoc means the doc you fetch when you issue a GET before the update

That’s ambiguous if there are conflicts.

The way I’ve implemented it in Couchbase Lite and the Sync Gateway is that it’s the nearest
ancestor of newRev that already exists in the database. Which I believe agrees with Alexander’s
definition.

I’m now in the unhappy position that my current spec for signed documents[1] is not enforceable
with a CouchDB validation function. The issue is that the signed data of the document has
to include the parent revision ID. If it doesn’t, there’s a replay attack where an attacker
can take an older revision of a document they don’t own and PUT it back to the database
as the current revision. (Git and Mercurial encode a commit’s parent ID(s) as part of its
ID for the same reason.)
So to validate a revision’s signature, the true parent revID has to be known to the validation
function. But this isn’t necessarily the same as oldDoc[‘_rev’]: if the database didn’t
previously have the direct parent revision, oldDoc will instead be the last known ancestor,
not the parent.

—Jens

[1]: https://github.com/couchbase/couchbase-lite-ios/wiki/Signed-Documents
Mime
View raw message