You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/10 15:00:57 UTC
couchdb commit: updated refs/heads/master to dda4a5f
Repository: couchdb
Updated Branches:
refs/heads/master a84fcb2d9 -> dda4a5f22
Remove new CSRF mechanism
Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/dda4a5f2
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/dda4a5f2
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/dda4a5f2
Branch: refs/heads/master
Commit: dda4a5f220fa5d3c705b784c9bb1f1dbe776d724
Parents: a84fcb2
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 10 12:26:29 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 10 14:00:46 2015 +0100
----------------------------------------------------------------------
dev/run | 7 +---
test/javascript/tests/csrf.js | 84 --------------------------------------
2 files changed, 2 insertions(+), 89 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/dda4a5f2/dev/run
----------------------------------------------------------------------
diff --git a/dev/run b/dev/run
index e519fa6..06c96be 100755
--- a/dev/run
+++ b/dev/run
@@ -30,7 +30,6 @@ import uuid
from pbkdf2 import pbkdf2_hex
COMMON_SALT = uuid.uuid4().hex
-COMMON_CSRF_SECRET = uuid.uuid4().hex
try:
from urllib import urlopen
@@ -259,11 +258,9 @@ def hack_local_ini(ctx, contents):
previous_line = "; require_valid_user = false\n"
contents = contents.replace(previous_line, previous_line + secret_line)
- csrf_secret = '\n\n[csrf]\nsecret = %s\n' % COMMON_CSRF_SECRET
-
if ctx['with_admin_party']:
ctx['admin'] = ('Admin Party!', 'You do not need any password.')
- return contents + csrf_secret
+ return contents
# handle admin credentials passed from cli or generate own one
if ctx['admin'] is None:
@@ -271,7 +268,7 @@ def hack_local_ini(ctx, contents):
else:
user, pswd = ctx['admin']
- return contents + "\n%s = %s" % (user, hashify(pswd)) + csrf_secret
+ return contents + "\n%s = %s" % (user, hashify(pswd))
def gen_password():
http://git-wip-us.apache.org/repos/asf/couchdb/blob/dda4a5f2/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
deleted file mode 100644
index e16e78b..0000000
--- a/test/javascript/tests/csrf.js
+++ /dev/null
@@ -1,84 +0,0 @@
-// Licensed under the Apache License, Version 2.0 (the "License"); you may not
-// use this file except in compliance with the License. You may obtain a copy of
-// the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-// License for the specific language governing permissions and limitations under
-// the License.
-
-couchTests.csrf = function(debug) {
- var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
- db.deleteDb();
- db.createDb();
-
- if (debug) debugger;
-
- // Handy function to cause CouchDB to delete the CSRF cookie
- var deleteCsrf = function() {
- var xhr = CouchDB.request("POST", "/_session", {
- body: 'name=foo&password=bar',
- headers: {'X-CouchDB-CSRF': 'foo',
- 'Content-Type': 'application/x-www-form-urlencoded',
- 'Cookie': 'CouchDB-CSRF=foo'}});
- TEquals(403, xhr.status);
- };
-
- var testFun = function () {
- // Shouldn't receive header if we didn't ask for it
- var xhr = CouchDB.request("GET", "/");
- TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF");
- TEquals(200, xhr.status);
-
- // Matching but invalid cookie/header should 403
- xhr = CouchDB.request("POST", "/_session", {
- body: 'name=foo&password=bar',
- headers: {'X-CouchDB-CSRF': 'foo',
- 'Content-Type': 'application/x-www-form-urlencoded',
- 'Cookie': 'CouchDB-CSRF=foo'}});
- TEquals(403, xhr.status);
- TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header");
-
- // Can I acquire a CouchDB-CSRF cookie?
- xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'true'}});
- var cookie = xhr.getResponseHeader("Set-Cookie").match('^CouchDB-CSRF=([^;]+)');
- T(cookie, "Should receive cookie");
-
- // If I have a cookie, do I get a 403 if I don't send the header?
- xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
- headers: {'Content-Type':
- 'application/x-www-form-urlencoded'}});
- TEquals(403, xhr.status);
- TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
-
- // If I have a cookie, do I get a 200 if I send a matching header?
- xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
- headers: {"X-CouchDB-CSRF": cookie[1],
- 'Content-Type': 'application/x-www-form-urlencoded'}});
- TEquals(200, xhr.status);
- TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this");
-
- // How about the wrong header?
- xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
- headers: {'X-CouchDB-CSRF': 'foo',
- 'Content-Type': 'application/x-www-form-urlencoded'}});
- TEquals(403, xhr.status);
- TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
-
- deleteCsrf();
- };
-
- run_on_modified_server(
- [
- {section: "couch_httpd_auth",
- key: "iterations", value: "1"},
- {section: "admins",
- key: "foo", value: "bar"}
- ],
- testFun
- );
-
-};