incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wordit <wordi...@gmail.com>
Subject Possible validation security issue
Date Wed, 29 Aug 2012 18:28:14 GMT
I may have stumbled upon a security issue in validation functions.
Maybe somebody else can try to confirm this. I've been using the
validation function mentioned several times in the user guide:

function (newDoc, oldDoc, userCtx) {
  if (newDoc.author) {
    if(newDoc.author != userCtx.name) {
      throw({"forbidden": "You may only update documents with author " +
        userCtx.name});
    }
  }
}

A user who is *not* newDoc.author will be prevented from updating the
document when editing. So far so good. However, to get around security
and edit the document, a user who is not author, only has to change
the author field to their name. Voila, they can now edit all other
fields. Works in Futon in two steps, from Curl in one step.

I've been testing this on iriscouch.com, so it's the currently hosted
version I'm referring to. I first noticed using curl. Something like
this:

db has two fields.
author: usera
text: my wonderful text

The goal is to change field "text" as another user, e.g. "userb".
userb just has to update the author field from usera to userb:

curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
'{"_rev":"3-456","author":"userb"}' -H "Content-type:
application/json"

couch returns new _rev:4-567

Now the document belongs to userb, the text field can be updated.

curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
'{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
"Content-type: application/json"

Actually, it worked in one go for me to just overwrite the author
field and change other fields. It didn't require two steps in Curl.

Shouldn't couchdb prevent the author field from being updated? It
seems this only works with the name of the currently authenticated
user. You cannot enter just anything into the author field.

Can anyone confirm, and if this is correct, how can the document be secured?

Thanks,

Marcus

Mime
View raw message