incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: sponsoring secure vhost/rewrites
Date Wed, 04 May 2011 00:05:09 GMT

On 3 May 2011, at 01:00, Martin Hilbig wrote:

> hi,
> 
> i want to program and rent couchapps. i want couchdb/bigcouch to be my db, app and webserver.
> 
> i dont want a middlelayer like a(n) (apache) proxy, just to filter out clients which
try cheating by using no Host header or ../../../ url trickery.
> 
> can this be accomplished already? sadly i didnt find anything and i remember @janl telling
me that vhosts and rewrites arent meant to be security features. why is that so?

This is by design, we didn't spend much time vetting these features for security, hence we
don't recommend them for security purposes.

> my naive thoughts of a secure vhost handling which makes proxies obsolete:
> 
> * the vhost handler should redirect clients with no Host header to a "default" vhost
or send a 403/404.
> 
> * requests containing (to many) .. or starting with _ in the resource should also get
redirected/404/403ed too.

That sounds like a plan. I don't think the ../ are critical as long as you are in a confined
vhost, but I may be wrong.

> what other requests can you think of to circumvent the vhost handler/rewriter?
> 
> are the 2 points above already possible today? please redirect me to docs.

No.

> where should i start hacking, when i want to implent them myself?

src/couchdb/couch_httpd_vhost.erl

> is anyone willing to implement them for me (or see how far she gets) in 10h = 100eurs?
yea this means i want those points so hard i would throw in 10h hours or 100eurs or 100$ to
get someone (at least) started on them. is this okay or inappropriate here or is there a better
place for couchdb job offers (maybe the user@ list)?

10$/€ per hour probably won't get you many replies :)

Cheers
Jan
-- 


Mime
View raw message