You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by "Robert Newson (JIRA)" <ji...@apache.org> on 2015/08/19 17:41:46 UTC

[jira] [Created] (COUCHDB-2781) Don't pass CSRF cookie to _replicate

Robert Newson created COUCHDB-2781:
--------------------------------------

             Summary: Don't pass CSRF cookie to _replicate
                 Key: COUCHDB-2781
                 URL: https://issues.apache.org/jira/browse/COUCHDB-2781
             Project: CouchDB
          Issue Type: Bug
      Security Level: public (Regular issues)
            Reporter: Robert Newson


If you use a local dbname for source and target chttpd will expand this to a url, including the cookie header. This was fine when we just had AuthSession but CSRF header will be included, and that breaks replication.

Instead, just pass the AuthSession cookie if found.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)