Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2B29B2A15 for ; Tue, 3 May 2011 08:00:32 +0000 (UTC) Received: (qmail 26046 invoked by uid 500); 3 May 2011 08:00:31 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 25747 invoked by uid 500); 3 May 2011 08:00:28 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 25739 invoked by uid 99); 3 May 2011 08:00:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 May 2011 08:00:27 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of blueonyx@gmx.net designates 213.165.64.22 as permitted sender) Received: from [213.165.64.22] (HELO mailout-de.gmx.net) (213.165.64.22) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 03 May 2011 08:00:19 +0000 Received: (qmail invoked by alias); 03 May 2011 07:59:56 -0000 Received: from p54BA378A.dip.t-dialin.net (EHLO [192.168.1.9]) [84.186.55.138] by mail.gmx.net (mp046) with SMTP; 03 May 2011 09:59:56 +0200 X-Authenticated: #24497449 X-Provags-ID: V01U2FsdGVkX19AvbEPC+NARZXs8bvDSYGCATcBb/vGlh8zeRO2jm Pgd7IKdo36qCny Message-ID: <4DBFB605.4000702@gmx.net> Date: Tue, 03 May 2011 10:00:05 +0200 From: Martin Hilbig User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110429 Thunderbird/3.1.10 MIME-Version: 1.0 To: dev@couchdb.apache.org Subject: sponsoring secure vhost/rewrites Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 hi, i want to program and rent couchapps. i want couchdb/bigcouch to be my db, app and webserver. i dont want a middlelayer like a(n) (apache) proxy, just to filter out clients which try cheating by using no Host header or ../../../ url trickery. can this be accomplished already? sadly i didnt find anything and i remember @janl telling me that vhosts and rewrites arent meant to be security features. why is that so? my naive thoughts of a secure vhost handling which makes proxies obsolete: * the vhost handler should redirect clients with no Host header to a "default" vhost or send a 403/404. * requests containing (to many) .. or starting with _ in the resource should also get redirected/404/403ed too. what other requests can you think of to circumvent the vhost handler/rewriter? are the 2 points above already possible today? please redirect me to docs. where should i start hacking, when i want to implent them myself? is anyone willing to implement them for me (or see how far she gets) in 10h = 100eurs? yea this means i want those points so hard i would throw in 10h hours or 100eurs or 100$ to get someone (at least) started on them. is this okay or inappropriate here or is there a better place for couchdb job offers (maybe the user@ list)? have fun martin