incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olafur Arason <olaf...@olafura.com>
Subject Re: sponsoring secure vhost/rewrites
Date Wed, 04 May 2011 09:25:02 GMT
Could you give some detail what you mean by a new couchapp engine.

Regards,
Olafur Arason

On Wed, May 4, 2011 at 06:11, Benoit Chesneau <bchesneau@gmail.com> wrote:
> On Tue, May 3, 2011 at 10:00 AM, Martin Hilbig <blueonyx@gmx.net> wrote:
>> hi,
>>
>> i want to program and rent couchapps. i want couchdb/bigcouch to be my db,
>> app and webserver.
>>
>> i dont want a middlelayer like a(n) (apache) proxy, just to filter out
>> clients which try cheating by using no Host header or ../../../ url
>> trickery.
>>
>> can this be accomplished already? sadly i didnt find anything and i remember
>> @janl telling me that vhosts and rewrites arent meant to be security
>> features. why is that so?
>>
>> my naive thoughts of a secure vhost handling which makes proxies obsolete:
>>
>> * the vhost handler should redirect clients with no Host header to a
>> "default" vhost or send a 403/404.
>
> You can't do that, it would remove the ability to access to couchdb
> until vhosts are on the same port or couch db api prefixed. You can
> however change the way welcome works, there is a patch in jira for
> that.
>
>>
>> * requests containing (to many) .. or starting with _ in the resource should
>> also get redirected/404/403ed too.
>>
>> what other requests can you think of to circumvent the vhost
>> handler/rewriter?
>
> To sandbox couchapps ypu may ned more works, to filter db access & co.
>
>>
>> are the 2 points above already possible today? please redirect me to docs.
>>
>> where should i start hacking, when i want to implent them myself?
>
> hacking couch_httpd_vhosts.erl or you can change the redirect function
> to adapt it to your own use:
>
> %%    [httpd]
> %%    redirect_vhost_handler = {Module, Fun}
> %%
> %% The function take 2 args : the mochiweb request object and the target
> %%% path.
>
>>
>> is anyone willing to implement them for me (or see how far she gets) in 10h
>> = 100eurs? yea this means i want those points so hard i would throw in 10h
>> hours or 100eurs or 100$ to get someone (at least) started on them. is this
>> okay or inappropriate here or is there a better place for couchdb job offers
>> (maybe the user@ list)?
>>
>> have fun
>> martin
>>
>>
>
> 10$/h isn't so much :) I'm working on a new couchapp engine, that will
> be probably released this monthand rework the way vhosts are work. In
> the the mean time don't hesitate to play with the code :)
>
> - benoît
>

Mime
View raw message