You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Nathan Vander Wilt (JIRA)" <ji...@apache.org> on 2012/11/18 01:50:12 UTC
[jira] [Created] (COUCHDB-1607) cookie_authentication_handler does
not properly handle AuthSession signatures starting with ":" character(s)
Nathan Vander Wilt created COUCHDB-1607:
-------------------------------------------
Summary: cookie_authentication_handler does not properly handle AuthSession signatures starting with ":" character(s)
Key: COUCHDB-1607
URL: https://issues.apache.org/jira/browse/COUCHDB-1607
Project: CouchDB
Issue Type: Bug
Affects Versions: 1.2
Reporter: Nathan Vander Wilt
Priority: Critical
AuthSession cookies will intermittently "break" — a user will have a perfectly valid session, but suddenly after their cookie gets refreshed they can randomly get "logged out" for practical purposes.
The cause is that Erlang's `string:tokens` behaviour does act as this code expects:
https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183
After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not `["","c","d"]` but rather `["c","d"]`. So when rejoined, the signature becomes "c:d" instead of the original ":c:d"!
It appears that using re.split/2 would avoid this problem, but yields a list/array result containing <<"">> instead of "" types, which string:join does not like. Should be pretty quick fix though for someone who knows just a bit more of the Erlang way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (COUCHDB-1607) cookie_authentication_handler
does not properly handle AuthSession signatures starting with ":"
character(s)
Posted by "Robert Newson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499782#comment-13499782 ]
Robert Newson commented on COUCHDB-1607:
----------------------------------------
Nathan, nice sleuthing. If the HashPart (aka _C) begins with a ":" we'll get a verification failure, the same is true for a HashPart with any two or more consecutive ":"'s, for the same reason. All because string:tokens silently omits empty tokens, rather than leaving a spacer. The re:split/2 method fixes that neatly.
The list/binary stuff is annoying but not strictly related.
And here's the difference itself;
string:tokens("User:Time:Foo::Bar",":") -> ["User","Time","Foo","Bar"]
re:split("User:Time:Foo::Bar",":") -> [<<"User">>,<<"Time">>,<<"Foo">>,<<>>,<<"Bar">>]
That's a hash part that, by chance, has two adjacent colon characters. Since it's silently dropped in the first case, a subsequent join with ":" will not produce the original string. boom.
> cookie_authentication_handler does not properly handle AuthSession signatures starting with ":" character(s)
> ------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1607
> URL: https://issues.apache.org/jira/browse/COUCHDB-1607
> Project: CouchDB
> Issue Type: Bug
> Affects Versions: 1.2
> Reporter: Nathan Vander Wilt
> Priority: Critical
>
> AuthSession cookies will intermittently "break" — a user will have a perfectly valid session, but suddenly after their cookie gets refreshed they can randomly get "logged out" for practical purposes.
> The cause is that Erlang's `string:tokens` behaviour does act as this code expects:
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183
> After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not `["","c","d"]` but rather `["c","d"]`. So when rejoined, the signature becomes "c:d" instead of the original ":c:d"!
> It appears that using re.split/2 would avoid this problem, but yields a list/array result containing <<"">> instead of "" types, which string:join does not like. Should be pretty quick fix though for someone who knows just a bit more of the Erlang way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (COUCHDB-1607) cookie_authentication_handler
does not properly handle AuthSession signatures starting with ":"
character(s)
Posted by "Dale Harvey (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499581#comment-13499581 ]
Dale Harvey commented on COUCHDB-1607:
--------------------------------------
Good debugging, you can use re:split("a:b:c", ":", [{return, list}]). although I would be worried about 1. why its using lists at all, 2. why is it generating an empty value in the first place?
> cookie_authentication_handler does not properly handle AuthSession signatures starting with ":" character(s)
> ------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1607
> URL: https://issues.apache.org/jira/browse/COUCHDB-1607
> Project: CouchDB
> Issue Type: Bug
> Affects Versions: 1.2
> Reporter: Nathan Vander Wilt
> Priority: Critical
>
> AuthSession cookies will intermittently "break" — a user will have a perfectly valid session, but suddenly after their cookie gets refreshed they can randomly get "logged out" for practical purposes.
> The cause is that Erlang's `string:tokens` behaviour does act as this code expects:
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183
> After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not `["","c","d"]` but rather `["c","d"]`. So when rejoined, the signature becomes "c:d" instead of the original ":c:d"!
> It appears that using re.split/2 would avoid this problem, but yields a list/array result containing <<"">> instead of "" types, which string:join does not like. Should be pretty quick fix though for someone who knows just a bit more of the Erlang way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (COUCHDB-1607) cookie_authentication_handler does
not properly handle AuthSession signatures starting with ":" character(s)
Posted by "Robert Newson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Newson resolved COUCHDB-1607.
------------------------------------
Resolution: Fixed
Fix Version/s: 1.3
> cookie_authentication_handler does not properly handle AuthSession signatures starting with ":" character(s)
> ------------------------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1607
> URL: https://issues.apache.org/jira/browse/COUCHDB-1607
> Project: CouchDB
> Issue Type: Bug
> Affects Versions: 1.2
> Reporter: Nathan Vander Wilt
> Priority: Critical
> Fix For: 1.3
>
>
> AuthSession cookies will intermittently "break" — a user will have a perfectly valid session, but suddenly after their cookie gets refreshed they can randomly get "logged out" for practical purposes.
> The cause is that Erlang's `string:tokens` behaviour does act as this code expects:
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
> https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183
> After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not `["","c","d"]` but rather `["c","d"]`. So when rejoined, the signature becomes "c:d" instead of the original ":c:d"!
> It appears that using re.split/2 would avoid this problem, but yields a list/array result containing <<"">> instead of "" types, which string:join does not like. Should be pretty quick fix though for someone who knows just a bit more of the Erlang way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira