You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/02/23 07:06:44 UTC
[jira] [Commented] (COUCHDB-3257) Replicator accepts and then
returns invalid urls
[ https://issues.apache.org/jira/browse/COUCHDB-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15880017#comment-15880017 ]
ASF subversion and git services commented on COUCHDB-3257:
----------------------------------------------------------
Commit dd46a41df50e03449395424083c29ff66cd76fa6 in couchdb-fauxton's branch refs/heads/master from [~robertkowalski]
[ https://git-wip-us.apache.org/repos/asf?p=couchdb-fauxton.git;h=dd46a41 ]
Replication: hotfix url parsing for invalid urls
See COUCHDB-3257: sometimes the replicator returns invalid urls
which are not encoded. This makes standard conforming url parsers
choke.
This catches the exception, with the tradeoff of displaying the
password in the cases where the url is invalid.
> Replicator accepts and then returns invalid urls
> ------------------------------------------------
>
> Key: COUCHDB-3257
> URL: https://issues.apache.org/jira/browse/COUCHDB-3257
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core, Replication
> Reporter: Robert Kowalski
>
> We have an issue that manifests for us in Fauxton but will manifest in any other web browser / url parser.
> The replicator accepts invalid urls. This means it will also return invalid urls on request. These url make standard-conforming url parsers bail. Example:
> https://rocko:pass#word@example.com/blerg is not valid url syntax. The hash has to be encoded.
> Discussion from #whatwg:
> {code}
> 12:17:03 < robertkowalski> annevk: question to the url spec
> 12:17:16 < robertkowalski> before i open an issue / invetsigate further
> 12:18:11 < robertkowalski> new URL('https://rocko:pass#word@example.com/blerg')
> 12:18:16 -!-frivoal [~frivoal@2400:2650:86c0:a500:6c4e:56ad:30ff:8140] has joined #whatwg
> 12:18:18 < robertkowalski> throws because of the hash
> 12:19:29 < robertkowalski> i haven't found a section regarding passwords and special / reserved chars. is this a bug in the spec? it limits the amount
> possible passwords a lot
> 12:20:06 < nox> robertkowalski: It should be encoded.
> 12:20:23 < annevk> Yeah, you can encode it
> 12:21:16 < annevk> robertkowalski: the specification basically doesn't want you to use URLs to encode username/password
> 12:21:29 < annevk> robertkowalski: https://url.spec.whatwg.org/#url-syntax doesn't allow them
> 12:21:46 < annevk> robertkowalski: (see note at the end of that section)
> 12:22:39 < annevk> robertkowalski: the reason that throws though I think is because # is seen as the start of the path and then a host cannot contain :
> 12:22:43 -!-frivoal [~frivoal@2400:2650:86c0:a500:6c4e:56ad:30ff:8140] has quit [Ping timeout: 258 seconds]
> 12:22:51 < annevk> robertkowalski: well, because :pass is not a valid port
> 12:23:54 < annevk> robertkowalski: for that, see how https://url.spec.whatwg.org/#authority-state and also the host state will treat # as the end of that
> 12:24:25 < annevk> robertkowalski: and https://url.spec.whatwg.org/#port-state for how port will return failure for non-digits
> 12:27:16 < robertkowalski> thank you
> 12:27:46 < robertkowalski> the replciator in couchdb accepts urls with hash as part of the password
> 12:27:57 < robertkowalski> and when we pull them out and want to use them in the browser
> 12:27:59 < robertkowalski> it explodes
> 12:30:14 < nox> robertkowalski: new URL('https://rocko:pass%23word@example.com/blerg')
> 12:31:18 < robertkowalski> ty nox - we run into a chicken egg problem here. as we use `new URL` to parse the URL ^^
> 12:31:31 < robertkowalski> so we probably have to fix that in the couch api, not in the frontend
> 12:36:15 < annevk> robertkowalski: yeah, it sounds like the Couch DB API parses URLs differently from browsers
> 12:36:43 < annevk> robertkowalski: that will cause subtle bugs
> {code}
> Proposal:
> - Reject invalid urls and add a automatic migration strategy for invalid urls in the replicator
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)