You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "nickva (via GitHub)" <gi...@apache.org> on 2023/01/24 08:15:46 UTC
[GitHub] [couchdb-pkg] nickva commented on pull request #106: allow more characters in cookie
nickva commented on PR #106:
URL: https://github.com/apache/couchdb-pkg/pull/106#issuecomment-1401532175
Testing with commit 567d1c4b3d9c4baa784957110ed7690f16131cae on a Debian Buster VM:
I see `\n` escaped properly but some control characters get through. If users can type in `\` as one of the characters they could generate any of the control characters.
cookie: `a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f`
`-setcookie 'a b\n ^M#{}()[]$&^!-=+?|//c\d\e\\f'`
another example
cookie: `a\n\t\ \x\\y\\\z//w///`
`-setcookie 'a\n x\y\z//w///'`
RPM test on CentOS 7
It seems the replacement had stopped working both for the user supplied cookie in a variable or for the randomly generated one:
```
[root@nvcentos7 ~]# export COUCHDB_COOKIE='a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f'
[root@nvcentos7 ~]# echo ${COUCHDB_COOKIE}
a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f
[root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm
Using defined COUCHDB_COOKIE value.
```
```
# All nodes must share the same magic cookie for distributed Erlang to work.
# Uncomment the following line and append a securely generated random value.
# -setcookie
```
For random generated one:
```
[root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm
Generating random cookie value.
[root@nvcentos7 ~]# grep setcookie /opt/couchdb/etc/vm.args
# -setcookie
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org