You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Chris Anderson (JIRA)" <ji...@apache.org> on 2010/07/20 00:47:50 UTC
[jira] Closed: (COUCHDB-829) Denial of Service vulnerability in
rewriter
[ https://issues.apache.org/jira/browse/COUCHDB-829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Anderson closed COUCHDB-829.
----------------------------------
Resolution: Fixed
thanks, fixed in r965667
> Denial of Service vulnerability in rewriter
> -------------------------------------------
>
> Key: COUCHDB-829
> URL: https://issues.apache.org/jira/browse/COUCHDB-829
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Affects Versions: 1.0
> Environment: CouchDB trunk, erl R13B04
> Reporter: Jason Smith
>
> Untrusted, unsanitized user input should not be converted to atoms because it allows the user to fill up the atom table in the VM, wasting memory and eventually causing a couchdb crash.
> If rewriting is enabled (which it is by default), and if an attacker knows a database and ddoc name (even if the ddoc has no _rewrite rules), the attacker can permanently enter atoms into system.
> I have not exhaustively audited couch_httpd_rewrite.erl but for instance handle_rewrite_req/3 converts all URL query keys to atoms.
> [info] [<0.38.0>] Apache CouchDB has started on http://0.0.0.0:5984/
> 1> erlang:list_to_existing_atom("do_i_exist").
> ** exception error: bad argument
> in function list_to_existing_atom/1
> called as list_to_existing_atom("do_i_exist")
> $ curl -X PUT localhost:5984/ex
> {"ok":true}
> $ curl -X PUT localhost:5984/ex/_design/ex -d {}
> {"ok":true,"id":"_design/ex","rev":"1-967a00dff5e02add41819138abb3284d"}
> $ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah
> {"error":"rewrite_error","reason":"Invalid path."}
> 2> [info] [<0.109.0>] 127.0.0.1 - - 'GET' /ex/_design/ex/_rewrite?do_i_exist=blah 404
> 2> erlang:list_to_existing_atom("do_i_exist").
> do_i_exist
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.