You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by "mohmesflir (via GitHub)" <gi...@apache.org> on 2023/06/21 20:37:44 UTC

[GitHub] [couchdb] mohmesflir opened a new issue, #4651: csp header parameters require semicolon separated list but seen as comment in .ini file

mohmesflir opened a new issue, #4651:
URL: https://github.com/apache/couchdb/issues/4651

   [NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
   
   ## Description
   
   The [csp] header parameters (attachments_header_value, showlist_header_value, utils_header_value, and [depreciated] header_value) require a semicolon separated list but the interpreter sees the semicolon as the start of a comment and so only the first list item is loaded from the .ini file.
   
   [NOTE]: # ( Describe the problem you're encountering. )
   [TIP]:  # ( Do NOT give us access or passwords to your actual CouchDB! )
   
   ## Steps to Reproduce
   From default.ini, an example CSP section may look like:
   ```
   ; CSP (Content Security Policy) Support
   [csp]
   utils_enable = true
   utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox allow-top-navigation;
   attachments_enable = true
   attachments_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox allow-top-navigation;
   showlist_enable = true
   showlist_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox allow-top-navigation;
   ```
   and this can be saved in the local.d ini file using the config tool.  However, when the service is restarted, only the first item in each list is loaded because the first semicolon is seen as the start of a comment.
   
   Manually changing the settings in localhost:5984/_utils/#_config/couchdb@localhost to:
   ![image](https://github.com/apache/couchdb/assets/42147617/1586921d-2b4c-4587-bbca-11dce7e85933)
   
   After restarting the service this is what you get:
   ![image](https://github.com/apache/couchdb/assets/42147617/5f77513a-f344-4e9d-b909-59ee878c340d)
   Everything after the first semicolon is missing.
   
   [NOTE]: # ( Include commands to reproduce, if possible. curl is preferred. )
   
   ## Expected Behaviour
   Unfortunately CSP requires the semicolon separation and will not accept a comma.  If these semicolons are changed to commas then the list reloads but fails to actually work when trying to load webpages served by the CouchDB server.  So either:
   - an escape character is needed for the semicolon
   - the server needs to change the comma to a semicolon
   - the ini loader needs to ignore the semicolon on these specific lines
   
   [NOTE]: # ( Tell us what you expected to happen. )
   
   ## Your Environment
   
   [TIP]:  # ( Include as many relevant details about your environment as possible. )
   [TIP]:  # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. )
   
   * CouchDB version used: tested on 3.2.2 and 3.2.1
   * Operating system and version: Windows Server 2022 Standard 21H2 (OS build 20348.469)
   
   ## Additional Context
   
   [TIP]:  # ( Add any other context about the problem here. )
   Additional installations on Windows 10 PCs are not showing this issue, only the Windows Server installation.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] nickva closed issue #4651: csp header parameters require semicolon separated list but seen as comment in .ini file

Posted by "nickva (via GitHub)" <gi...@apache.org>.

nickva closed issue #4651: csp header parameters require semicolon separated list but seen as comment in .ini file
URL: https://github.com/apache/couchdb/issues/4651


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] nickva commented on issue #4651: csp header parameters require semicolon separated list but seen as comment in .ini file

Posted by "nickva (via GitHub)" <gi...@apache.org>.

nickva commented on issue #4651:
URL: https://github.com/apache/couchdb/issues/4651#issuecomment-1603262201

   @mohmesflir this PR should fix the issue https://github.com/apache/couchdb/pull/4653


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] mohmesflir commented on issue #4651: csp header parameters require semicolon separated list but seen as comment in .ini file

Posted by "mohmesflir (via GitHub)" <gi...@apache.org>.

mohmesflir commented on issue #4651:
URL: https://github.com/apache/couchdb/issues/4651#issuecomment-1603124736

   Just tested 3.2.3 and it is loading the values correctly


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] nickva commented on issue #4651: csp header parameters require semicolon separated list but seen as comment in .ini file

Posted by "nickva (via GitHub)" <gi...@apache.org>.

nickva commented on issue #4651:
URL: https://github.com/apache/couchdb/issues/4651#issuecomment-1603141648

   Thank you for your report @mohmesflir. That does look like a bug. We'll try to investigate and have fix in the next release.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org