You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Jason Smith (JIRA)" <ji...@apache.org> on 2010/07/05 07:31:50 UTC
[jira] Created: (COUCHDB-815) Non-standard HTTP methods for view
handlers (AKA WebDAV is b0rken) [PATCH]
Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
--------------------------------------------------------------------------
Key: COUCHDB-815
URL: https://issues.apache.org/jira/browse/COUCHDB-815
Project: CouchDB
Issue Type: Bug
Components: Database Core
Affects Versions: 1.0
Reporter: Jason Smith
Priority: Minor
CouchDB prevents the new view server handler methods, _show, _update, etc. from handling unknown HTTP methods. This prevents Couch apps from being able to implement extensions to the HTTP specification or to add application-specific methods to HTTP, violating the spirit of _show and _update.
For example, it is not possible to make a CouchApp WebDAV server because _show and _list must support the PROPFIND method.
In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an atom if and only if the atom already exists (using couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
$ curl localhost:5984 -X PROPFIND # Crashes mochiweb when to_existing_atom throws badarg
curl: (52) Empty reply from server
$ curl localhost:5984 -X list_to_binary # Any atom works
{"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
Considering the cURL commands above, I filed this as a bug, not a feature. I will explore some options and submit patches.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-815) Non-standard HTTP methods for view
handlers (AKA WebDAV is b0rken) [PATCH]
Posted by "Jason Smith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Smith updated COUCHDB-815:
--------------------------------
Attachment: bad_allow_any_http_method.patch
This patch provides a good unit test. Its solution is wrong but instructive.
The simplest way to pass the test is to use to_atom instead of to_existing_atom. Unfortunately, this allows a denial of service. A buggy client or DOS attacker could hit the server with random HTTP methods and fill up the atom table, presumably leaking memory and probably crashing the VM when the OS kills it.
So, how can handle_request_int allow any HTTP method (at least if it is destined for _show, _list, _update) without creating an atom per method?
> Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
> --------------------------------------------------------------------------
>
> Key: COUCHDB-815
> URL: https://issues.apache.org/jira/browse/COUCHDB-815
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Reporter: Jason Smith
> Priority: Minor
> Attachments: bad_allow_any_http_method.patch
>
>
> CouchDB prevents the new view server handler methods, _show, _update, etc. from handling unknown HTTP methods. This prevents Couch apps from being able to implement extensions to the HTTP specification or to add application-specific methods to HTTP, violating the spirit of _show and _update.
> For example, it is not possible to make a CouchApp WebDAV server because _show and _list must support the PROPFIND method.
> In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an atom if and only if the atom already exists (using couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
> $ curl localhost:5984 -X PROPFIND # Crashes mochiweb when to_existing_atom throws badarg
> curl: (52) Empty reply from server
> $ curl localhost:5984 -X list_to_binary # Any atom works
> {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
> Considering the cURL commands above, I filed this as a bug, not a feature. I will explore some options and submit patches.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (COUCHDB-815) Non-standard HTTP methods for view
handlers (AKA WebDAV is b0rken) [PATCH]
Posted by "Chris Anderson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Anderson closed COUCHDB-815.
----------------------------------
Resolution: Fixed
Forgot to mark this as closed. Thanks!
> Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
> --------------------------------------------------------------------------
>
> Key: COUCHDB-815
> URL: https://issues.apache.org/jira/browse/COUCHDB-815
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Environment: Erlang/OTP R13B04
> Reporter: Jason Smith
> Priority: Minor
> Attachments: allow_http_method_convert_to_binary.patch, bad_allow_any_http_method.patch
>
>
> CouchDB prevents the new view server handler methods, _show, _update, etc. from handling unknown HTTP methods. This prevents Couch apps from being able to implement extensions to the HTTP specification or to add application-specific methods to HTTP, violating the spirit of _show and _update.
> For example, it is not possible to make a CouchApp WebDAV server because _show and _list must support the PROPFIND method.
> In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an atom if and only if the atom already exists (using couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
> $ curl localhost:5984 -X PROPFIND # Crashes mochiweb when to_existing_atom throws badarg
> curl: (52) Empty reply from server
> $ curl localhost:5984 -X list_to_binary # Any atom works
> {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
> Considering the cURL commands above, I filed this as a bug, not a feature. I will explore some options and submit patches.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-815) Non-standard HTTP methods for view
handlers (AKA WebDAV is b0rken) [PATCH]
Posted by "Jason Smith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12885118#action_12885118 ]
Jason Smith commented on COUCHDB-815:
-------------------------------------
A workaround if you have admin access is to make an Erlang design document with a show function to define those atoms:
{
"_id": "_design/enable_dav",
"usage": "curl localhost:5984/dav/_design/enable_dav/_show/add_atoms",
"language": "erlang",
"shows": {
"add_atoms": "fun(Doc, {Req}) ->
'PROPFIND', 'PROPPATCH', 'MKCOL', 'COPY', 'MOVE', 'LOCK', 'UNLOCK',
{[{<<\"body\">>, <<\"WebDAV enabled\\n\">>}]}
end."
}
}
And then you hit the view once per VM execution.
> Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
> --------------------------------------------------------------------------
>
> Key: COUCHDB-815
> URL: https://issues.apache.org/jira/browse/COUCHDB-815
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Reporter: Jason Smith
> Priority: Minor
> Attachments: bad_allow_any_http_method.patch
>
>
> CouchDB prevents the new view server handler methods, _show, _update, etc. from handling unknown HTTP methods. This prevents Couch apps from being able to implement extensions to the HTTP specification or to add application-specific methods to HTTP, violating the spirit of _show and _update.
> For example, it is not possible to make a CouchApp WebDAV server because _show and _list must support the PROPFIND method.
> In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an atom if and only if the atom already exists (using couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
> $ curl localhost:5984 -X PROPFIND # Crashes mochiweb when to_existing_atom throws badarg
> curl: (52) Empty reply from server
> $ curl localhost:5984 -X list_to_binary # Any atom works
> {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
> Considering the cURL commands above, I filed this as a bug, not a feature. I will explore some options and submit patches.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-815) Non-standard HTTP methods for view
handlers (AKA WebDAV is b0rken) [PATCH]
Posted by "Jason Smith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Smith updated COUCHDB-815:
--------------------------------
Environment: Erlang/OTP R13B04
Note my erlang version since I am unsure if my patch (catch _:_) supports old OTP which for all I know throws single atoms instead of class:instance
> Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
> --------------------------------------------------------------------------
>
> Key: COUCHDB-815
> URL: https://issues.apache.org/jira/browse/COUCHDB-815
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Environment: Erlang/OTP R13B04
> Reporter: Jason Smith
> Priority: Minor
> Attachments: allow_http_method_convert_to_binary.patch, bad_allow_any_http_method.patch
>
>
> CouchDB prevents the new view server handler methods, _show, _update, etc. from handling unknown HTTP methods. This prevents Couch apps from being able to implement extensions to the HTTP specification or to add application-specific methods to HTTP, violating the spirit of _show and _update.
> For example, it is not possible to make a CouchApp WebDAV server because _show and _list must support the PROPFIND method.
> In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an atom if and only if the atom already exists (using couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
> $ curl localhost:5984 -X PROPFIND # Crashes mochiweb when to_existing_atom throws badarg
> curl: (52) Empty reply from server
> $ curl localhost:5984 -X list_to_binary # Any atom works
> {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
> Considering the cURL commands above, I filed this as a bug, not a feature. I will explore some options and submit patches.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-815) Non-standard HTTP methods for view
handlers (AKA WebDAV is b0rken) [PATCH]
Posted by "Jason Smith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Smith updated COUCHDB-815:
--------------------------------
Attachment: allow_http_method_convert_to_binary.patch
Upon further investigation, I believe there is a bug in couch_util:to_existing_atom. The comment says that it will return the original value if no atom exists. But why does it throw an exception then?
The attached patch properly catches the error:badarg thrown by the *_to_existing_atom BIFs. This allows the method parameter to remain a string
Unfortunately, methods of string (list) type are converted to a list-of-integers when sending to the view server. Therefore couch_httpd_external:json_req_obj must go ahead and
I like this patch:
* It does as little as possible at the early stage, when the request comes in
* It does not convert unknown requests to atoms--pattern matching will keep them away from existing code
* Yet it correctly forwards unknown methods to the view server _show et al whether standard or not
> Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
> --------------------------------------------------------------------------
>
> Key: COUCHDB-815
> URL: https://issues.apache.org/jira/browse/COUCHDB-815
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Reporter: Jason Smith
> Priority: Minor
> Attachments: allow_http_method_convert_to_binary.patch, bad_allow_any_http_method.patch
>
>
> CouchDB prevents the new view server handler methods, _show, _update, etc. from handling unknown HTTP methods. This prevents Couch apps from being able to implement extensions to the HTTP specification or to add application-specific methods to HTTP, violating the spirit of _show and _update.
> For example, it is not possible to make a CouchApp WebDAV server because _show and _list must support the PROPFIND method.
> In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an atom if and only if the atom already exists (using couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
> $ curl localhost:5984 -X PROPFIND # Crashes mochiweb when to_existing_atom throws badarg
> curl: (52) Empty reply from server
> $ curl localhost:5984 -X list_to_binary # Any atom works
> {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
> Considering the cURL commands above, I filed this as a bug, not a feature. I will explore some options and submit patches.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-815) Non-standard HTTP methods for view
handlers (AKA WebDAV is b0rken) [PATCH]
Posted by "Jason Smith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12890243#action_12890243 ]
Jason Smith commented on COUCHDB-815:
-------------------------------------
Looks like you merged part of this patch (the last hunk) in r965667
> Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
> --------------------------------------------------------------------------
>
> Key: COUCHDB-815
> URL: https://issues.apache.org/jira/browse/COUCHDB-815
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Environment: Erlang/OTP R13B04
> Reporter: Jason Smith
> Priority: Minor
> Attachments: allow_http_method_convert_to_binary.patch, bad_allow_any_http_method.patch
>
>
> CouchDB prevents the new view server handler methods, _show, _update, etc. from handling unknown HTTP methods. This prevents Couch apps from being able to implement extensions to the HTTP specification or to add application-specific methods to HTTP, violating the spirit of _show and _update.
> For example, it is not possible to make a CouchApp WebDAV server because _show and _list must support the PROPFIND method.
> In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an atom if and only if the atom already exists (using couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
> $ curl localhost:5984 -X PROPFIND # Crashes mochiweb when to_existing_atom throws badarg
> curl: (52) Empty reply from server
> $ curl localhost:5984 -X list_to_binary # Any atom works
> {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
> Considering the cURL commands above, I filed this as a bug, not a feature. I will explore some options and submit patches.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.