You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/03 17:29:19 UTC
[1/2] couch commit: updated refs/heads/master to a431e65
Repository: couchdb-couch
Updated Branches:
refs/heads/master 4d5dd10bc -> a431e6571
check POST requests for valid json header
validate that all POST requests with json body must have also have valid
json header: {"Content-Type": "application/json"}
This ensures a basic protection against CSRF
JIRA: COUCHDB-2775
Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/c7708e9f
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/c7708e9f
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/c7708e9f
Branch: refs/heads/master
Commit: c7708e9f064e5481d0aadc9c1f0760b0ea7a092e
Parents: 0fdc50b
Author: Mayya Sharipova <ma...@ca.ibm.com>
Authored: Wed Sep 2 13:33:29 2015 -0400
Committer: Mayya Sharipova <ma...@ca.ibm.com>
Committed: Wed Sep 2 15:52:23 2015 -0400
----------------------------------------------------------------------
src/couch_changes.erl | 1 +
src/couch_httpd_db.erl | 2 ++
src/couch_httpd_misc_handlers.erl | 2 ++
3 files changed, 5 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_changes.erl
----------------------------------------------------------------------
diff --git a/src/couch_changes.erl b/src/couch_changes.erl
index 9a1d406..7547aef 100644
--- a/src/couch_changes.erl
+++ b/src/couch_changes.erl
@@ -310,6 +310,7 @@ get_view_qs(Req) ->
get_doc_ids({json_req, {Props}}) ->
check_docids(couch_util:get_value(<<"doc_ids">>, Props));
get_doc_ids(#httpd{method='POST'}=Req) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
{Props} = couch_httpd:json_body_obj(Req),
check_docids(couch_util:get_value(<<"doc_ids">>, Props));
get_doc_ids(#httpd{method='GET'}=Req) ->
http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_db.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_db.erl b/src/couch_httpd_db.erl
index 4337f41..f2a5c14 100644
--- a/src/couch_httpd_db.erl
+++ b/src/couch_httpd_db.erl
@@ -381,6 +381,7 @@ db_req(#httpd{path_parts=[_,<<"_purge">>]}=Req, _Db) ->
send_method_not_allowed(Req, "POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_missing_revs">>]}=Req, Db) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
{JsonDocIdRevs} = couch_httpd:json_body_obj(Req),
JsonDocIdRevs2 = [{Id, [couch_doc:parse_rev(RevStr) || RevStr <- RevStrs]} || {Id, RevStrs} <- JsonDocIdRevs],
{ok, Results} = couch_db:get_missing_revs(Db, JsonDocIdRevs2),
@@ -393,6 +394,7 @@ db_req(#httpd{path_parts=[_,<<"_missing_revs">>]}=Req, _Db) ->
send_method_not_allowed(Req, "POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_revs_diff">>]}=Req, Db) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
{JsonDocIdRevs} = couch_httpd:json_body_obj(Req),
JsonDocIdRevs2 =
[{Id, couch_doc:parse_revs(RevStrs)} || {Id, RevStrs} <- JsonDocIdRevs],
http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_misc_handlers.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_misc_handlers.erl b/src/couch_httpd_misc_handlers.erl
index f6b8a4e..10d6d9e 100644
--- a/src/couch_httpd_misc_handlers.erl
+++ b/src/couch_httpd_misc_handlers.erl
@@ -185,6 +185,8 @@ handle_config_req(#httpd{method='GET', path_parts=[_, Section, Key]}=Req) ->
end;
% POST /_config/_reload - Flushes unpersisted config values from RAM
handle_config_req(#httpd{method='POST', path_parts=[_, <<"_reload">>]}=Req) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
+ _ = couch_httpd:body(Req),
ok = couch_httpd:verify_is_server_admin(Req),
ok = config:reload(),
send_json(Req, 200, {[{ok, true}]});
[2/2] couch commit: updated refs/heads/master to a431e65
Posted by rn...@apache.org.
Merge remote-tracking branch 'cloudant/2775-post-valid-json-header'
Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/a431e657
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/a431e657
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/a431e657
Branch: refs/heads/master
Commit: a431e65713095f1fa99101e14835e89f21b5d82b
Parents: 4d5dd10 c7708e9
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 3 16:29:03 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 3 16:29:03 2015 +0100
----------------------------------------------------------------------
src/couch_changes.erl | 1 +
src/couch_httpd_db.erl | 2 ++
src/couch_httpd_misc_handlers.erl | 2 ++
3 files changed, 5 insertions(+)
----------------------------------------------------------------------