You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/10 14:58:51 UTC

chttpd commit: updated refs/heads/master to 2723f64

Repository: couchdb-chttpd
Updated Branches:
  refs/heads/master e3f575f2f -> 2723f64e1


Remove new CSRF mechanism


Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/2723f64e
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/2723f64e
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/2723f64e

Branch: refs/heads/master
Commit: 2723f64e1c41e93023c61a0964dc0eb7fcaeb463
Parents: e3f575f
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 10 12:29:23 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 10 12:29:23 2015 +0100

----------------------------------------------------------------------
 include/chttpd_cors.hrl   |  6 ++----
 src/chttpd.erl            | 22 +++++++---------------
 src/chttpd_csrf.erl       | 21 ---------------------
 test/chttpd_cors_test.erl |  2 +-
 4 files changed, 10 insertions(+), 41 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/include/chttpd_cors.hrl
----------------------------------------------------------------------
diff --git a/include/chttpd_cors.hrl b/include/chttpd_cors.hrl
index 428dadd..1988d7b 100644
--- a/include/chttpd_cors.hrl
+++ b/include/chttpd_cors.hrl
@@ -30,8 +30,7 @@
     "x-couchdb-www-authenticate",
     "x-http-method-override",
     "x-requested-with",
-    "x-couchdb-vhost-path",
-    "x-couchdb-csrf"
+    "x-couchdb-vhost-path"
 ]).
 
 
@@ -65,8 +64,7 @@
     "server",
     "x-couch-request-id",
     "x-couch-update-newrev",
-    "x-couchdb-body-time",
-    "x-couchdb-csrf-valid"
+    "x-couchdb-body-time"
 ]).
 
 

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/src/chttpd.erl
----------------------------------------------------------------------
diff --git a/src/chttpd.erl b/src/chttpd.erl
index 6c73f5f..a5baa27 100644
--- a/src/chttpd.erl
+++ b/src/chttpd.erl
@@ -226,7 +226,6 @@ handle_request_int(MochiReq) ->
     Result0 =
     try
         couch_httpd:validate_host(HttpReq),
-        chttpd_csrf:validate(HttpReq),
         check_request_uri_length(RawUri),
         case chttpd_cors:maybe_handle_preflight_request(HttpReq) of
         not_preflight ->
@@ -476,8 +475,7 @@ serve_file(#httpd{mochi_req=MochiReq}=Req, RelativePath, DocumentRoot,
 	couch_httpd_auth:cookie_auth_header(Req, []) ++
 	ExtraHeaders,
     Headers1 = chttpd_cors:headers(Req, Headers),
-    Headers2 = chttpd_csrf:headers(Req, Headers1),
-    {ok, MochiReq:serve_file(RelativePath, DocumentRoot, Headers2)}.
+    {ok, MochiReq:serve_file(RelativePath, DocumentRoot, Headers1)}.
 
 qs_value(Req, Key) ->
     qs_value(Req, Key, undefined).
@@ -614,8 +612,7 @@ etag_respond(Req, CurrentEtag, RespFun) ->
         % the client has this in their cache.
         Headers0 = [{"Etag", CurrentEtag}],
         Headers1 = chttpd_cors:headers(Req, Headers0),
-        Headers2 = chttpd_csrf:headers(Req, Headers1),
-        chttpd:send_response(Req, 304, Headers2, <<>>);
+        chttpd:send_response(Req, 304, Headers1, <<>>);
     false ->
         % Run the function.
         RespFun()
@@ -632,8 +629,7 @@ start_response_length(#httpd{mochi_req=MochiReq}=Req, Code, Headers0, Length) ->
     Headers1 = Headers0 ++ server_header() ++
 	couch_httpd_auth:cookie_auth_header(Req, Headers0),
     Headers2 = chttpd_cors:headers(Req, Headers1),
-    Headers3 = chttpd_csrf:headers(Req, Headers2),
-    Resp = MochiReq:start_response_length({Code, Headers3, Length}),
+    Resp = MochiReq:start_response_length({Code, Headers2, Length}),
     case MochiReq:get(method) of
     'HEAD' -> throw({http_head_abort, Resp});
     _ -> ok
@@ -649,8 +645,7 @@ start_chunked_response(#httpd{mochi_req=MochiReq}=Req, Code, Headers0) ->
     Headers1 = Headers0 ++ server_header() ++
         couch_httpd_auth:cookie_auth_header(Req, Headers0),
     Headers2 = chttpd_cors:headers(Req, Headers1),
-    Headers3 = chttpd_csrf:headers(Req, Headers2),
-    Resp = MochiReq:respond({Code, Headers3, chunked}),
+    Resp = MochiReq:respond({Code, Headers2, chunked}),
     case MochiReq:get(method) of
     'HEAD' -> throw({http_head_abort, Resp});
     _ -> ok
@@ -681,8 +676,7 @@ send_json(Req, Code, Value) ->
 send_json(Req, Code, Headers0, Value) ->
     Headers1 = [timing(), reqid() | Headers0],
     Headers2 = chttpd_cors:headers(Req, Headers1),
-    Headers3 = chttpd_csrf:headers(Req, Headers2),
-    couch_httpd:send_json(Req, Code, Headers3, Value).
+    couch_httpd:send_json(Req, Code, Headers2, Value).
 
 start_json_response(Req, Code) ->
     start_json_response(Req, Code, []).
@@ -690,8 +684,7 @@ start_json_response(Req, Code) ->
 start_json_response(Req, Code, Headers0) ->
     Headers1 = [timing(), reqid() | Headers0],
     Headers2 = chttpd_cors:headers(Req, Headers1),
-    Headers3 = chttpd_csrf:headers(Req, Headers2),
-    couch_httpd:start_json_response(Req, Code, Headers3).
+    couch_httpd:start_json_response(Req, Code, Headers2).
 
 end_json_response(Resp) ->
     couch_httpd:end_json_response(Resp).
@@ -962,8 +955,7 @@ send_chunked_error(Resp, Error) ->
 send_redirect(Req, Path) ->
     Headers0 = [{"Location", chttpd:absolute_uri(Req, Path)}],
     Headers1 = chttpd_cors:headers(Req, Headers0),
-    Headers2 = chttpd_csrf:headers(Req, Headers1),
-    send_response(Req, 301, Headers2, <<>>).
+    send_response(Req, 301, Headers1, <<>>).
 
 server_header() ->
     couch_httpd:server_header().

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/src/chttpd_csrf.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_csrf.erl b/src/chttpd_csrf.erl
deleted file mode 100644
index 0f390a3..0000000
--- a/src/chttpd_csrf.erl
+++ /dev/null
@@ -1,21 +0,0 @@
-% Licensed under the Apache License, Version 2.0 (the "License"); you may not
-% use this file except in compliance with the License. You may obtain a copy of
-% the License at
-%
-%   http://www.apache.org/licenses/LICENSE-2.0
-%
-% Unless required by applicable law or agreed to in writing, software
-% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-% License for the specific language governing permissions and limitations under
-% the License.
-
--module(chttpd_csrf).
-
--export([validate/1, headers/2]).
-
-validate(Req) ->
-    couch_httpd_csrf:validate(Req).
-
-headers(Req, Headers) ->
-    couch_httpd_csrf:headers(Req, Headers).

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/test/chttpd_cors_test.erl
----------------------------------------------------------------------
diff --git a/test/chttpd_cors_test.erl b/test/chttpd_cors_test.erl
index 99c6f62..6ad807a 100644
--- a/test/chttpd_cors_test.erl
+++ b/test/chttpd_cors_test.erl
@@ -22,7 +22,7 @@
 -define(DEFAULT_ORIGIN_HTTPS, "https://example.com").
 -define(EXPOSED_HEADERS,
     "content-type, accept-ranges, etag, server, x-couch-request-id, " ++
-    "x-couch-update-newrev, x-couchdb-body-time, x-couchdb-csrf-valid").
+    "x-couch-update-newrev, x-couchdb-body-time").
 
 
 %% Test helpers