couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: Newsfeed IFRAME in Fauxton and IP collection
Date Wed, 24 Jun 2020 08:37:51 GMT
Thanks ermouth,

I’m surprised my proposal made it through without discussion. I have the
same question ;D

FWIW, this “leaks” the browser connection to the internet, not necessarily
CouchDB instance data.

For a production version of this, I would at least expect an opt-in button
on that page, before loading remote content.

My PR was meant to start this discussion :)

Best
Jan
—

> On 24. Jun 2020, at 10:33, ermouth <ermouth@gmail.com> wrote:
> 
> Since I hadn’t received any answer at Github, I’d like to raise an
> important CouchDB Fauxton security question publicly.
> 
> One of the latest Fauxton PRs (
> https://github.com/apache/couchdb-fauxton/pull/1284) adds a remote newsfeed
> to Fauxton. Emitting a newsfeed in the admin panel in that way may lead to
> IP collection of CouchDB instances (or subnets, that is even worse)
> somewhere.
> 
> Where is this ‘somewhere’ located? Pinging blog.couchdb.org shows it points
> to lb.wordpress.com, which seems a bit ridiculous. CouchDB instances are
> not uncommon for very critical parts of infrastructure and security
> projects, and I doubt anyone wants to expose node IPs to _whatever_ logs,
> esp wordpress.com.
> 
> So I’d like to ask devs and users: does anyone think adding news to the
> admin panel worth creating such a security hole?
> 
> ermouth


Mime
View raw message