You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Johnny Weng Luu (JIRA)" <ji...@apache.org> on 2011/02/22 15:42:38 UTC

[jira] Created: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Having a : in the "name" property in a _users document makes the GET /_session won't work
-----------------------------------------------------------------------------------------

                 Key: COUCHDB-1072
                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
             Project: CouchDB
          Issue Type: Bug
            Reporter: Johnny Weng Luu
            Priority: Critical


I have created multiple user documents in the _users database with the following in the "name" property:

"johnny.weng.luu@gmail.com"
"mammamia"
"mamma/mia"
"mamma:mia"

I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.

It worked for the first 3 documents but not for the 4th one.

Conclusion: If I have a : in the "name" it won't work.

Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".

Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Filipe Manana (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998329#comment-12998329 ] 

Filipe Manana commented on COUCHDB-1072:
----------------------------------------

I'm inclined to not allow the character : to be allowed in user names. They're not allowed for HTTP basic auth user names, so it makes some sense to be consistent and not allow it for any of the authentication handlers we ship. Robert Newson also agrees with this (opinion expressed via IRC).

If no one is against this approach, I would had a rule in the validate document update handler of the _users database that checks for : in the user name.

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Assignee: Filipe Manana
>            Priority: Critical
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Filipe Manana (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Filipe Manana updated COUCHDB-1072:
-----------------------------------

    Attachment: COUCHDB-1072.patch

Jan, can't see immediately any other character that shouldn't be allowed.

The following patch is flexible enough to add other characters that we might find that should be blacklisted.

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Assignee: Filipe Manana
>            Priority: Critical
>         Attachments: COUCHDB-1072.patch
>
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Johnny Weng Luu (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12997881#comment-12997881 ] 

Johnny Weng Luu commented on COUCHDB-1072:
------------------------------------------

I have no idea .. only tried with cookie auth. Dont know about basic auth.

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Priority: Critical
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Filipe Manana (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12997832#comment-12997832 ] 

Filipe Manana commented on COUCHDB-1072:
----------------------------------------

That happens with cookie auth only, right?

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Priority: Critical
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Assigned: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Filipe Manana (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Filipe Manana reassigned COUCHDB-1072:
--------------------------------------

    Assignee: Filipe Manana

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Assignee: Filipe Manana
>            Priority: Critical
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Jan Lehnardt (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998333#comment-12998333 ] 

Jan Lehnardt commented on COUCHDB-1072:
---------------------------------------

+1 on disallowing colons in usernames for consistency. Are there other characters where we don't have parity between the different login mechanisms?

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Assignee: Filipe Manana
>            Priority: Critical
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Robert Newson (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998342#comment-12998342 ] 

Robert Newson commented on COUCHDB-1072:
----------------------------------------

+1 :)

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Assignee: Filipe Manana
>            Priority: Critical
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Resolved: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Filipe Manana (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Filipe Manana resolved COUCHDB-1072.
------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.2

Applied to trunk

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Assignee: Filipe Manana
>            Priority: Critical
>             Fix For: 1.2
>
>         Attachments: COUCHDB-1072.patch
>
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-1072) Having a : in the "name" property in a _users document makes the GET /_session won't work

Posted by "Filipe Manana (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/COUCHDB-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12997887#comment-12997887 ] 

Filipe Manana commented on COUCHDB-1072:
----------------------------------------

Yes, I asked you about cookie auth only, didn't mention basic auth :)

> Having a : in the "name" property in a _users document makes the GET /_session won't work
> -----------------------------------------------------------------------------------------
>
>                 Key: COUCHDB-1072
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1072
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Johnny Weng Luu
>            Priority: Critical
>
> I have created multiple user documents in the _users database with the following in the "name" property:
> "johnny.weng.luu@gmail.com"
> "mammamia"
> "mamma/mia"
> "mamma:mia"
> I logged in each one of them (the password is the same for all of them) and then I tried to get the current user session with GET /_session with cookie auth.
> It worked for the first 3 documents but not for the 4th one.
> Conclusion: If I have a : in the "name" it won't work.
> Would be good to either fix that so every character works or emitting an error message if you save a document with invalid characters like the ":".
> Hope this will be taken care of! Took me quite some time to figure out!

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira