Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 42372 invoked from network); 3 Feb 2009 21:25:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Feb 2009 21:25:19 -0000 Received: (qmail 58237 invoked by uid 500); 3 Feb 2009 21:25:18 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 58192 invoked by uid 500); 3 Feb 2009 21:25:18 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 58181 invoked by uid 99); 3 Feb 2009 21:25:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Feb 2009 13:25:18 -0800 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of b.candler@pobox.com designates 207.106.133.19 as permitted sender) Received: from [207.106.133.19] (HELO sasl.smtp.pobox.com) (207.106.133.19) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Feb 2009 21:25:10 +0000 Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id B6229965C5 for ; Tue, 3 Feb 2009 16:24:45 -0500 (EST) Received: from mappit (unknown [80.45.95.114]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 636A0965C4 for ; Tue, 3 Feb 2009 16:24:45 -0500 (EST) Received: from brian by mappit with local (Exim 4.69) (envelope-from ) id 1LUSl9-0002Vz-J6 for user@couchdb.apache.org; Tue, 03 Feb 2009 21:24:43 +0000 Date: Tue, 3 Feb 2009 21:24:43 +0000 From: Brian Candler To: user@couchdb.apache.org Subject: docids starting with underscore Message-ID: <20090203212443.GA9329@uk.tiscali.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.17+20080114 (2008-01-14) X-Pobox-Relay-ID: 143795DC-F239-11DD-AEAB-8B21C92D7133-28021239!a-sasl-fastnet.pobox.com X-Virus-Checked: Checked by ClamAV on apache.org I'm not sure if this is a bug, or simply a case of "don't do that"! {"couchdb":"Welcome","version":"0.9.0a739811-incubating"} I see it is possible to create documents with IDs starting with an underscore, such as _view, using the _bulk_docs API $ curl -X POST -d '{"docs":[{"_id":"_view","foo":"bar"}]}' http://localhost:5984/test_suite_db/_bulk_docs; echo {"ok":true,"new_revs":[{"id":"_view","rev":"3737122827"}]} [Aside: use of "id" and "_id" doesn't appear to be consistent, but that's a separate discussion] If you then try to retrieve this document using the normal GET API, it barfs a 405 error (not surprisingly, since dbname/_view has a special meaning) However it is still possible to retrieve it using multi document fetch: $ curl 'http://localhost:5984/test_suite_db/_all_docs?key="_view"&include_docs=true' {"total_rows":10,"offset":3,"rows":[ {"id":"_view","key":"_view","value":{"rev":"3737122827"}, "doc":{"_id":"_view","_rev":"3737122827","foo":"bar"}} ]} I wonder if there is any value in the server restricting the docid? However even if it did, it's still up to application writers to be careful of this, especially if one document refers to another. E.g. if a malicious client writes "customer_id":"_external/foo/bar" into an invoice record, then it may make another client perform requests with unforeseen side effects when looking up the 'customer' for this invoice. So at least, perhaps the client-side API libraries ought to forbid docids which begin with underscore, even if the underlying database doesn't. Anyway, just a thought. (I came across this issue when modifying a Rails app to use /things/name instead of /things/id - which is easily done using to_param. I then had an ambiguity as to whether /things/new was an individual thing, or an action on the collection of things!) Regards, Brian.