You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Chris Anderson (JIRA)" <ji...@apache.org> on 2010/07/20 00:47:50 UTC

[jira] Closed: (COUCHDB-829) Denial of Service vulnerability in rewriter

     [ https://issues.apache.org/jira/browse/COUCHDB-829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Anderson closed COUCHDB-829.
----------------------------------

    Resolution: Fixed

thanks, fixed in r965667

> Denial of Service vulnerability in rewriter
> -------------------------------------------
>
>                 Key: COUCHDB-829
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-829
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Database Core
>    Affects Versions: 1.0
>         Environment: CouchDB trunk, erl R13B04
>            Reporter: Jason Smith
>
> Untrusted, unsanitized user input should not be converted to atoms because it allows the user to fill up the atom table in the VM, wasting memory and eventually causing a couchdb crash.
> If rewriting is enabled (which it is by default), and if an attacker knows a database and ddoc name (even if the ddoc has no _rewrite rules), the attacker can permanently enter atoms into system.
> I have not exhaustively audited couch_httpd_rewrite.erl but  for instance handle_rewrite_req/3 converts all URL query keys to atoms.
>     [info] [<0.38.0>] Apache CouchDB has started on http://0.0.0.0:5984/
>     1> erlang:list_to_existing_atom("do_i_exist").   
>     ** exception error: bad argument
>          in function  list_to_existing_atom/1
>             called as list_to_existing_atom("do_i_exist")
>     $ curl -X PUT localhost:5984/ex
>     {"ok":true}
>     $ curl -X PUT localhost:5984/ex/_design/ex -d {}
>     {"ok":true,"id":"_design/ex","rev":"1-967a00dff5e02add41819138abb3284d"}
>     $ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah
>     {"error":"rewrite_error","reason":"Invalid path."}
>     2> [info] [<0.109.0>] 127.0.0.1 - - 'GET' /ex/_design/ex/_rewrite?do_i_exist=blah 404
>     2> erlang:list_to_existing_atom("do_i_exist").
>     do_i_exist

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.