Return-Path: 
 <dev-return-28733-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8CF221063A
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Wed,  7 Aug 2013 14:26:51 +0000 (UTC)
Received: (qmail 57531 invoked by uid 500); 7 Aug 2013 14:26:50 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 57398 invoked by uid 500); 7 Aug 2013 14:26:49 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 57338 invoked by uid 99); 7 Aug 2013 14:26:48 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Aug 2013 14:26:48 +0000
Date: Wed, 7 Aug 2013 14:26:48 +0000 (UTC)
From: "ASF subversion and git services (JIRA)" <jira@apache.org>
To: dev@couchdb.apache.org
Message-ID: <JIRA.12654284.1371859557248.16417.1375885608279@arcas>
In-Reply-To: <JIRA.12654284.1371859557248@arcas>
References: <JIRA.12654284.1371859557248@arcas>
Subject: [jira] [Commented] (COUCHDB-1838) Specifying public_fields
 parameter discloses all user docs
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/COUCHDB-1838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13732033#comment-13732033 ] 

ASF subversion and git services commented on COUCHDB-1838:
----------------------------------------------------------

Commit b4480facc3d7bc72223c25e8b05c0fa00c08dd3f in branch refs/heads/master from [~janl]
[ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=b4480fa ]

fix test for 8d7ab8b. cc COUCHDB-1838

                
> Specifying public_fields parameter discloses all user docs
> ----------------------------------------------------------
>
>                 Key: COUCHDB-1838
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1838
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Alexander Shorin
>            Priority: Blocker
>             Fix For: 1.4
>
>
> When public_fields are specified it's possible to retrieve all available user docs, no matter does they contains specified public fields or not.
> 0. Setup some users:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name":"abc", "roles":[], "type":"user", "password": "cba"}'  -H "Content-Type: application/json"  
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name":"def", "roles":[], "type":"user", "password": "fed"}'  -H "Content-Type: application/json" 
> {code}
> 1. Check the old behavior without public_fields:
> {code}
> curl -v http://abc:cba@localhost:5984/_users/_all_docs
> HTTP/1.1 403 Forbidden
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> Date: Fri, 21 Jun 2013 23:12:13 GMT
> Content-Type: text/plain; charset=utf-8
> Content-Length: 87
> Cache-Control: must-revalidate
> {"error":"forbidden","reason":"Only admins can access _all_docs of system databases."}
> {code}
> 2. Specify some public fields that no one actually has:
> {code}
> curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields -d '"no_user_will_never_has_ziz_field_in_his_doc"' -H "Content-Type: application/json" --user couch_admin
> {code}
> 3. Try step 1 one more time:
> {code}
> curl -v http://abc:cba@localhost:5984/_users/_all_docs
> HTTP/1.1 200 OK
> Transfer-Encoding: chunked
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
> Date: Fri, 21 Jun 2013 23:15:05 GMT
> Content-Type: text/plain; charset=utf-8
> Cache-Control: must-revalidate
> {"total_rows":6,"offset":0,"rows":[
> {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
> {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
> {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
> {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
> {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
> {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
> ]}
> {code}
> Same for anonymous user:
> {code}
> curl -v http://localhost:5984/_users/_all_docs
> HTTP/1.1 200 OK
> Transfer-Encoding: chunked
> Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B)
> ETag: "55N0CA8VM2Z0DQO85L1PM20XS"
> Date: Sat, 22 Jun 2013 00:04:17 GMT
> Content-Type: text/plain; charset=utf-8
> Cache-Control: must-revalidate
> {"total_rows":6,"offset":0,"rows":[
> {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba8551c0de3f3a178775509611"}},
> {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":"1-64d299987b4df59c048171a8ab8ba951"}},
> {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":"1-479a3e8a66652838706cc49544730a34"}},
> {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":"1-3859ee3742314dcb4b4f1ffaba398c91"}},
> {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":"1-f87f5003323e705d8c7a533cdd0a267c"}},
> {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev":"1-f43dadbe5e780f392a6bd283686b3704"}}
> ]}
> {code}
> The problem is that with specified public_fields it's possible to retrieve all user's names no matter has their public field or not. This behaviour a bit violates implemented [System Database Security|https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=e5503ff]:
> [CouchDB 1.2.0 release notes|https://blogs.apache.org/couchdb/entry/apache_couchdb_1_2_0]:
> {quote}
> Documents in the _users database can no longer be read by everyone
> Documents in the _users databases can now only be read by the respective authenticated user and administrators. Before, all docs were world-readable including their password hashes and salts.
> {quote}
> [Security Features Overview|http://wiki.apache.org/couchdb/Security_Features_Overview#Authentication%20database]:
> {quote}
> In addition, the _users database is now treated different from other databases:
>     An anonymous user can only create a new document.
>     An authenticated user can only update their own document.
>     A server or database admin can access and update all documents.
>     Only server or database admins can create design documents and access views and _all_docs and _changes. 
> {quote}
> Expected behaviour when `public_fields` specified:
> `_all_docs` should returns only those user docs, that are actually contains public fields. Users that has no such fields has nothing to publish. If user doc has public fields it shouldn't be mentioned in `_all_docs` response.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira