You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/10 14:58:51 UTC
chttpd commit: updated refs/heads/master to 2723f64
Repository: couchdb-chttpd
Updated Branches:
refs/heads/master e3f575f2f -> 2723f64e1
Remove new CSRF mechanism
Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/2723f64e
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/2723f64e
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/2723f64e
Branch: refs/heads/master
Commit: 2723f64e1c41e93023c61a0964dc0eb7fcaeb463
Parents: e3f575f
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 10 12:29:23 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 10 12:29:23 2015 +0100
----------------------------------------------------------------------
include/chttpd_cors.hrl | 6 ++----
src/chttpd.erl | 22 +++++++---------------
src/chttpd_csrf.erl | 21 ---------------------
test/chttpd_cors_test.erl | 2 +-
4 files changed, 10 insertions(+), 41 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/include/chttpd_cors.hrl
----------------------------------------------------------------------
diff --git a/include/chttpd_cors.hrl b/include/chttpd_cors.hrl
index 428dadd..1988d7b 100644
--- a/include/chttpd_cors.hrl
+++ b/include/chttpd_cors.hrl
@@ -30,8 +30,7 @@
"x-couchdb-www-authenticate",
"x-http-method-override",
"x-requested-with",
- "x-couchdb-vhost-path",
- "x-couchdb-csrf"
+ "x-couchdb-vhost-path"
]).
@@ -65,8 +64,7 @@
"server",
"x-couch-request-id",
"x-couch-update-newrev",
- "x-couchdb-body-time",
- "x-couchdb-csrf-valid"
+ "x-couchdb-body-time"
]).
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/src/chttpd.erl
----------------------------------------------------------------------
diff --git a/src/chttpd.erl b/src/chttpd.erl
index 6c73f5f..a5baa27 100644
--- a/src/chttpd.erl
+++ b/src/chttpd.erl
@@ -226,7 +226,6 @@ handle_request_int(MochiReq) ->
Result0 =
try
couch_httpd:validate_host(HttpReq),
- chttpd_csrf:validate(HttpReq),
check_request_uri_length(RawUri),
case chttpd_cors:maybe_handle_preflight_request(HttpReq) of
not_preflight ->
@@ -476,8 +475,7 @@ serve_file(#httpd{mochi_req=MochiReq}=Req, RelativePath, DocumentRoot,
couch_httpd_auth:cookie_auth_header(Req, []) ++
ExtraHeaders,
Headers1 = chttpd_cors:headers(Req, Headers),
- Headers2 = chttpd_csrf:headers(Req, Headers1),
- {ok, MochiReq:serve_file(RelativePath, DocumentRoot, Headers2)}.
+ {ok, MochiReq:serve_file(RelativePath, DocumentRoot, Headers1)}.
qs_value(Req, Key) ->
qs_value(Req, Key, undefined).
@@ -614,8 +612,7 @@ etag_respond(Req, CurrentEtag, RespFun) ->
% the client has this in their cache.
Headers0 = [{"Etag", CurrentEtag}],
Headers1 = chttpd_cors:headers(Req, Headers0),
- Headers2 = chttpd_csrf:headers(Req, Headers1),
- chttpd:send_response(Req, 304, Headers2, <<>>);
+ chttpd:send_response(Req, 304, Headers1, <<>>);
false ->
% Run the function.
RespFun()
@@ -632,8 +629,7 @@ start_response_length(#httpd{mochi_req=MochiReq}=Req, Code, Headers0, Length) ->
Headers1 = Headers0 ++ server_header() ++
couch_httpd_auth:cookie_auth_header(Req, Headers0),
Headers2 = chttpd_cors:headers(Req, Headers1),
- Headers3 = chttpd_csrf:headers(Req, Headers2),
- Resp = MochiReq:start_response_length({Code, Headers3, Length}),
+ Resp = MochiReq:start_response_length({Code, Headers2, Length}),
case MochiReq:get(method) of
'HEAD' -> throw({http_head_abort, Resp});
_ -> ok
@@ -649,8 +645,7 @@ start_chunked_response(#httpd{mochi_req=MochiReq}=Req, Code, Headers0) ->
Headers1 = Headers0 ++ server_header() ++
couch_httpd_auth:cookie_auth_header(Req, Headers0),
Headers2 = chttpd_cors:headers(Req, Headers1),
- Headers3 = chttpd_csrf:headers(Req, Headers2),
- Resp = MochiReq:respond({Code, Headers3, chunked}),
+ Resp = MochiReq:respond({Code, Headers2, chunked}),
case MochiReq:get(method) of
'HEAD' -> throw({http_head_abort, Resp});
_ -> ok
@@ -681,8 +676,7 @@ send_json(Req, Code, Value) ->
send_json(Req, Code, Headers0, Value) ->
Headers1 = [timing(), reqid() | Headers0],
Headers2 = chttpd_cors:headers(Req, Headers1),
- Headers3 = chttpd_csrf:headers(Req, Headers2),
- couch_httpd:send_json(Req, Code, Headers3, Value).
+ couch_httpd:send_json(Req, Code, Headers2, Value).
start_json_response(Req, Code) ->
start_json_response(Req, Code, []).
@@ -690,8 +684,7 @@ start_json_response(Req, Code) ->
start_json_response(Req, Code, Headers0) ->
Headers1 = [timing(), reqid() | Headers0],
Headers2 = chttpd_cors:headers(Req, Headers1),
- Headers3 = chttpd_csrf:headers(Req, Headers2),
- couch_httpd:start_json_response(Req, Code, Headers3).
+ couch_httpd:start_json_response(Req, Code, Headers2).
end_json_response(Resp) ->
couch_httpd:end_json_response(Resp).
@@ -962,8 +955,7 @@ send_chunked_error(Resp, Error) ->
send_redirect(Req, Path) ->
Headers0 = [{"Location", chttpd:absolute_uri(Req, Path)}],
Headers1 = chttpd_cors:headers(Req, Headers0),
- Headers2 = chttpd_csrf:headers(Req, Headers1),
- send_response(Req, 301, Headers2, <<>>).
+ send_response(Req, 301, Headers1, <<>>).
server_header() ->
couch_httpd:server_header().
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/src/chttpd_csrf.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_csrf.erl b/src/chttpd_csrf.erl
deleted file mode 100644
index 0f390a3..0000000
--- a/src/chttpd_csrf.erl
+++ /dev/null
@@ -1,21 +0,0 @@
-% Licensed under the Apache License, Version 2.0 (the "License"); you may not
-% use this file except in compliance with the License. You may obtain a copy of
-% the License at
-%
-% http://www.apache.org/licenses/LICENSE-2.0
-%
-% Unless required by applicable law or agreed to in writing, software
-% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-% License for the specific language governing permissions and limitations under
-% the License.
-
--module(chttpd_csrf).
-
--export([validate/1, headers/2]).
-
-validate(Req) ->
- couch_httpd_csrf:validate(Req).
-
-headers(Req, Headers) ->
- couch_httpd_csrf:headers(Req, Headers).
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/2723f64e/test/chttpd_cors_test.erl
----------------------------------------------------------------------
diff --git a/test/chttpd_cors_test.erl b/test/chttpd_cors_test.erl
index 99c6f62..6ad807a 100644
--- a/test/chttpd_cors_test.erl
+++ b/test/chttpd_cors_test.erl
@@ -22,7 +22,7 @@
-define(DEFAULT_ORIGIN_HTTPS, "https://example.com").
-define(EXPOSED_HEADERS,
"content-type, accept-ranges, etag, server, x-couch-request-id, " ++
- "x-couch-update-newrev, x-couchdb-body-time, x-couchdb-csrf-valid").
+ "x-couch-update-newrev, x-couchdb-body-time").
%% Test helpers