You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/04 13:40:43 UTC

couchdb commit: updated refs/heads/master to 315832d

Repository: couchdb
Updated Branches:
  refs/heads/master 93cc067ff -> 315832d4d


Adapt csrf test to hit form data endpoint

COUCHDB-2797


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/315832d4
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/315832d4
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/315832d4

Branch: refs/heads/master
Commit: 315832d4dbc402347e4154eaf17b20587bbb6ea0
Parents: 93cc067
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 3 22:06:58 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 3 22:06:58 2015 +0100

----------------------------------------------------------------------
 test/javascript/tests/csrf.js | 43 ++++++++++++++++++++++++++++----------
 1 file changed, 32 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/315832d4/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
index 9799d6f..e16e78b 100644
--- a/test/javascript/tests/csrf.js
+++ b/test/javascript/tests/csrf.js
@@ -19,21 +19,26 @@ couchTests.csrf = function(debug) {
 
   // Handy function to cause CouchDB to delete the CSRF cookie
   var deleteCsrf = function() {
-    var xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
-                              body: '{"keys": []}',
-                              headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+    var xhr = CouchDB.request("POST", "/_session", {
+                              body: 'name=foo&password=bar',
+                              headers: {'X-CouchDB-CSRF': 'foo',
+                                        'Content-Type': 'application/x-www-form-urlencoded',
+                                        'Cookie': 'CouchDB-CSRF=foo'}});
     TEquals(403, xhr.status);
   };
 
+  var testFun = function () {
   // Shouldn't receive header if we didn't ask for it
   var xhr = CouchDB.request("GET", "/");
   TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF");
   TEquals(200, xhr.status);
 
   // Matching but invalid cookie/header should 403
-  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
-                        body: '{"keys": []}',
-                        headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+  xhr = CouchDB.request("POST", "/_session", {
+                        body: 'name=foo&password=bar',
+                        headers: {'X-CouchDB-CSRF': 'foo',
+                                  'Content-Type': 'application/x-www-form-urlencoded',
+                                  'Cookie': 'CouchDB-CSRF=foo'}});
   TEquals(403, xhr.status);
   TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header");
 
@@ -43,21 +48,37 @@ couchTests.csrf = function(debug) {
   T(cookie, "Should receive cookie");
 
   // If I have a cookie, do I get a 403 if I don't send the header?
-  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}'});
+  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
+                                              headers: {'Content-Type':
+                                                        'application/x-www-form-urlencoded'}});
   TEquals(403, xhr.status);
   TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
 
   // If I have a cookie, do I get a 200 if I send a matching header?
-  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
-                                                             headers: {"X-CouchDB-CSRF": cookie[1]}});
+  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
+                                              headers: {"X-CouchDB-CSRF": cookie[1],
+                                                        'Content-Type': 'application/x-www-form-urlencoded'}});
   TEquals(200, xhr.status);
   TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this");
 
   // How about the wrong header?
-  xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
-                                                             headers: {'X-CouchDB-CSRF': 'foo'}});
+  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
+                                              headers: {'X-CouchDB-CSRF': 'foo',
+                                                        'Content-Type': 'application/x-www-form-urlencoded'}});
   TEquals(403, xhr.status);
   TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
 
   deleteCsrf();
+  };
+
+  run_on_modified_server(
+    [
+     {section: "couch_httpd_auth",
+      key: "iterations", value: "1"},
+     {section: "admins",
+       key: "foo", value: "bar"}
+    ],
+    testFun
+  );
+
 };