[GitHub] [couchdb-pkg] nickva commented on pull request #106: allow more characters in cookie

["nickva (via GitHub)" <gi...@apache.org>]

nickva commented on PR #106:
URL: https://github.com/apache/couchdb-pkg/pull/106#issuecomment-1401532175

   Testing with commit 567d1c4b3d9c4baa784957110ed7690f16131cae on a Debian Buster VM:
   
   I see `\n` escaped properly but some control characters get through. If users can type in `\` as one of the characters they could generate any of the control characters.
   
   cookie: `a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f`
   `-setcookie 'a b\n       ^M#{}()[]$&^!-=+?|//c\d\e\\f'`
   
   another example
   
   cookie: `a\n\t\ \x\\y\\\z//w///`
   `-setcookie 'a\n	 x\y\z//w///'`
   
   
   RPM test on CentOS 7
   
   It seems the replacement had stopped working both for the user supplied cookie in a variable or for the randomly generated one:
   
   ```
   [root@nvcentos7 ~]# export COUCHDB_COOKIE='a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f'
   [root@nvcentos7 ~]# echo ${COUCHDB_COOKIE}
   a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f
   [root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm 
   Using defined COUCHDB_COOKIE value.
   ```
   ```
   # All nodes must share the same magic cookie for distributed Erlang to work.
   # Uncomment the following line and append a securely generated random value.
   # -setcookie
   ```
   
   For random generated one:
   ```
   [root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm 
   Generating random cookie value.
   [root@nvcentos7 ~]# grep setcookie /opt/couchdb/etc/vm.args 
   # -setcookie
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org