incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Davis <paul.joseph.da...@gmail.com>
Subject Re: Possible validation security issue
Date Wed, 29 Aug 2012 18:35:58 GMT
Check against oldDoc instead of newDoc?

On Wed, Aug 29, 2012 at 1:28 PM, Wordit <wordituk@gmail.com> wrote:
> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
>
> function (newDoc, oldDoc, userCtx) {
>   if (newDoc.author) {
>     if(newDoc.author != userCtx.name) {
>       throw({"forbidden": "You may only update documents with author " +
>         userCtx.name});
>     }
>   }
> }
>
> A user who is *not* newDoc.author will be prevented from updating the
> document when editing. So far so good. However, to get around security
> and edit the document, a user who is not author, only has to change
> the author field to their name. Voila, they can now edit all other
> fields. Works in Futon in two steps, from Curl in one step.
>
> I've been testing this on iriscouch.com, so it's the currently hosted
> version I'm referring to. I first noticed using curl. Something like
> this:
>
> db has two fields.
> author: usera
> text: my wonderful text
>
> The goal is to change field "text" as another user, e.g. "userb".
> userb just has to update the author field from usera to userb:
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"3-456","author":"userb"}' -H "Content-type:
> application/json"
>
> couch returns new _rev:4-567
>
> Now the document belongs to userb, the text field can be updated.
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
> "Content-type: application/json"
>
> Actually, it worked in one go for me to just overwrite the author
> field and change other fields. It didn't require two steps in Curl.
>
> Shouldn't couchdb prevent the author field from being updated? It
> seems this only works with the name of the currently authenticated
> user. You cannot enter just anything into the author field.
>
> Can anyone confirm, and if this is correct, how can the document be secured?
>
> Thanks,
>
> Marcus

Mime
View raw message