You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/03 17:29:19 UTC

[1/2] couch commit: updated refs/heads/master to a431e65

Repository: couchdb-couch
Updated Branches:
  refs/heads/master 4d5dd10bc -> a431e6571


check POST requests for valid json header

validate that all POST requests with json body must have also have valid
json header: {"Content-Type": "application/json"}
This ensures a basic protection against CSRF

JIRA: COUCHDB-2775


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/c7708e9f
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/c7708e9f
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/c7708e9f

Branch: refs/heads/master
Commit: c7708e9f064e5481d0aadc9c1f0760b0ea7a092e
Parents: 0fdc50b
Author: Mayya Sharipova <ma...@ca.ibm.com>
Authored: Wed Sep 2 13:33:29 2015 -0400
Committer: Mayya Sharipova <ma...@ca.ibm.com>
Committed: Wed Sep 2 15:52:23 2015 -0400

----------------------------------------------------------------------
 src/couch_changes.erl             | 1 +
 src/couch_httpd_db.erl            | 2 ++
 src/couch_httpd_misc_handlers.erl | 2 ++
 3 files changed, 5 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_changes.erl
----------------------------------------------------------------------
diff --git a/src/couch_changes.erl b/src/couch_changes.erl
index 9a1d406..7547aef 100644
--- a/src/couch_changes.erl
+++ b/src/couch_changes.erl
@@ -310,6 +310,7 @@ get_view_qs(Req) ->
 get_doc_ids({json_req, {Props}}) ->
     check_docids(couch_util:get_value(<<"doc_ids">>, Props));
 get_doc_ids(#httpd{method='POST'}=Req) ->
+    couch_httpd:validate_ctype(Req, "application/json"),
     {Props} = couch_httpd:json_body_obj(Req),
     check_docids(couch_util:get_value(<<"doc_ids">>, Props));
 get_doc_ids(#httpd{method='GET'}=Req) ->

http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_db.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_db.erl b/src/couch_httpd_db.erl
index 4337f41..f2a5c14 100644
--- a/src/couch_httpd_db.erl
+++ b/src/couch_httpd_db.erl
@@ -381,6 +381,7 @@ db_req(#httpd{path_parts=[_,<<"_purge">>]}=Req, _Db) ->
     send_method_not_allowed(Req, "POST");
 
 db_req(#httpd{method='POST',path_parts=[_,<<"_missing_revs">>]}=Req, Db) ->
+    couch_httpd:validate_ctype(Req, "application/json"),
     {JsonDocIdRevs} = couch_httpd:json_body_obj(Req),
     JsonDocIdRevs2 = [{Id, [couch_doc:parse_rev(RevStr) || RevStr <- RevStrs]} || {Id, RevStrs} <- JsonDocIdRevs],
     {ok, Results} = couch_db:get_missing_revs(Db, JsonDocIdRevs2),
@@ -393,6 +394,7 @@ db_req(#httpd{path_parts=[_,<<"_missing_revs">>]}=Req, _Db) ->
     send_method_not_allowed(Req, "POST");
 
 db_req(#httpd{method='POST',path_parts=[_,<<"_revs_diff">>]}=Req, Db) ->
+    couch_httpd:validate_ctype(Req, "application/json"),
     {JsonDocIdRevs} = couch_httpd:json_body_obj(Req),
     JsonDocIdRevs2 =
         [{Id, couch_doc:parse_revs(RevStrs)} || {Id, RevStrs} <- JsonDocIdRevs],

http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_misc_handlers.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_misc_handlers.erl b/src/couch_httpd_misc_handlers.erl
index f6b8a4e..10d6d9e 100644
--- a/src/couch_httpd_misc_handlers.erl
+++ b/src/couch_httpd_misc_handlers.erl
@@ -185,6 +185,8 @@ handle_config_req(#httpd{method='GET', path_parts=[_, Section, Key]}=Req) ->
     end;
 % POST /_config/_reload - Flushes unpersisted config values from RAM
 handle_config_req(#httpd{method='POST', path_parts=[_, <<"_reload">>]}=Req) ->
+    couch_httpd:validate_ctype(Req, "application/json"),
+    _ = couch_httpd:body(Req),
     ok = couch_httpd:verify_is_server_admin(Req),
     ok = config:reload(),
     send_json(Req, 200, {[{ok, true}]});

[2/2] couch commit: updated refs/heads/master to a431e65

Posted by rn...@apache.org.

Merge remote-tracking branch 'cloudant/2775-post-valid-json-header'


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/a431e657
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/a431e657
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/a431e657

Branch: refs/heads/master
Commit: a431e65713095f1fa99101e14835e89f21b5d82b
Parents: 4d5dd10 c7708e9
Author: Robert Newson <rn...@apache.org>
Authored: Thu Sep 3 16:29:03 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Sep 3 16:29:03 2015 +0100

----------------------------------------------------------------------
 src/couch_changes.erl             | 1 +
 src/couch_httpd_db.erl            | 2 ++
 src/couch_httpd_misc_handlers.erl | 2 ++
 3 files changed, 5 insertions(+)
----------------------------------------------------------------------