You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wo...@apache.org on 2018/03/03 01:39:46 UTC

[couchdb] 01/01: Prevent access to Fauxton on node-local port (5986)

This is an automated email from the ASF dual-hosted git repository.

wohali pushed a commit to branch 1198-no-5986-fauxton
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 2b2c8add41147a2e86e04ad57805ca8e5d77472a
Author: Joan Touzet <jo...@atypical.net>
AuthorDate: Fri Mar 2 19:12:56 2018 -0500

    Prevent access to Fauxton on node-local port (5986)
    
    Will help stop people shooting themselves in the foot and/or using
    node-local CouchDB as their "main" CouchDB port.
    
    Closes #1198
---
 src/couch/src/couch_httpd_misc_handlers.erl | 17 +-----
 src/couch/test/couchdb_csp_tests.erl        | 82 -----------------------------
 src/couch/test/couchdb_vhosts_tests.erl     | 25 ---------
 3 files changed, 2 insertions(+), 122 deletions(-)

diff --git a/src/couch/src/couch_httpd_misc_handlers.erl b/src/couch/src/couch_httpd_misc_handlers.erl
index ddc3d64..51dc2be 100644
--- a/src/couch/src/couch_httpd_misc_handlers.erl
+++ b/src/couch/src/couch_httpd_misc_handlers.erl
@@ -61,22 +61,9 @@ handle_file_req(#httpd{method='GET'}=Req, Document) ->
 handle_file_req(Req, _) ->
     send_method_not_allowed(Req, "GET,HEAD").
 
-handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
-    "/" ++ UrlPath = couch_httpd:path(Req),
-    case couch_httpd:partition(UrlPath) of
-    {_ActionKey, "/", RelativePath} ->
-        % GET /_utils/path or GET /_utils/
-        CachingHeaders = [{"Cache-Control", "private, must-revalidate"}],
-        EnableCsp = config:get("csp", "enable", "false"),
-        Headers = maybe_add_csp_headers(CachingHeaders, EnableCsp),
-        couch_httpd:serve_file(Req, RelativePath, DocumentRoot, Headers);
-    {_ActionKey, "", _RelativePath} ->
-        % GET /_utils
-        RedirectPath = couch_httpd:path(Req) ++ "/",
-        couch_httpd:send_redirect(Req, RedirectPath)
-    end;
 handle_utils_dir_req(Req, _) ->
-    send_method_not_allowed(Req, "GET,HEAD").
+    send_error(Req, 410, <<"no_node_local_fauxton">>,
+        ?l2b("The web interface is no longer available on the node-local port.")).
 
 maybe_add_csp_headers(Headers, "true") ->
     DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; "
diff --git a/src/couch/test/couchdb_csp_tests.erl b/src/couch/test/couchdb_csp_tests.erl
deleted file mode 100644
index 5eb33f9..0000000
--- a/src/couch/test/couchdb_csp_tests.erl
+++ /dev/null
@@ -1,82 +0,0 @@
-% Licensed under the Apache License, Version 2.0 (the "License"); you may not
-% use this file except in compliance with the License. You may obtain a copy of
-% the License at
-%
-%   http://www.apache.org/licenses/LICENSE-2.0
-%
-% Unless required by applicable law or agreed to in writing, software
-% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-% License for the specific language governing permissions and limitations under
-% the License.
-
--module(couchdb_csp_tests).
-
--include_lib("couch/include/couch_eunit.hrl").
-
--define(TIMEOUT, 1000).
-
-
-setup() ->
-    ok = config:set("csp", "enable", "true", false),
-    Addr = config:get("httpd", "bind_address", "127.0.0.1"),
-    Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)),
-    lists:concat(["http://", Addr, ":", Port, "/_utils/"]).
-
-teardown(_) ->
-    ok.
-
-
-csp_test_() ->
-    {
-        "Content Security Policy tests",
-        {
-            setup,
-            fun test_util:start_couch/0, fun test_util:stop_couch/1,
-            {
-                foreach,
-                fun setup/0, fun teardown/1,
-                [
-                    fun should_not_return_any_csp_headers_when_disabled/1,
-                    fun should_apply_default_policy/1,
-                    fun should_return_custom_policy/1,
-                    fun should_only_enable_csp_when_true/1
-                ]
-            }
-        }
-    }.
-
-
-should_not_return_any_csp_headers_when_disabled(Url) ->
-    ?_assertEqual(undefined,
-        begin
-            ok = config:set("csp", "enable", "false", false),
-            {ok, _, Headers, _} = test_request:get(Url),
-            proplists:get_value("Content-Security-Policy", Headers)
-        end).
-
-should_apply_default_policy(Url) ->
-    ?_assertEqual(
-        "default-src 'self'; img-src 'self' data:; font-src 'self'; "
-        "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
-        begin
-            {ok, _, Headers, _} = test_request:get(Url),
-            proplists:get_value("Content-Security-Policy", Headers)
-        end).
-
-should_return_custom_policy(Url) ->
-    ?_assertEqual("default-src 'http://example.com';",
-        begin
-            ok = config:set("csp", "header_value",
-                                  "default-src 'http://example.com';", false),
-            {ok, _, Headers, _} = test_request:get(Url),
-            proplists:get_value("Content-Security-Policy", Headers)
-        end).
-
-should_only_enable_csp_when_true(Url) ->
-    ?_assertEqual(undefined,
-        begin
-            ok = config:set("csp", "enable", "tru", false),
-            {ok, _, Headers, _} = test_request:get(Url),
-            proplists:get_value("Content-Security-Policy", Headers)
-        end).
diff --git a/src/couch/test/couchdb_vhosts_tests.erl b/src/couch/test/couchdb_vhosts_tests.erl
index dfac73c..2562a06 100644
--- a/src/couch/test/couchdb_vhosts_tests.erl
+++ b/src/couch/test/couchdb_vhosts_tests.erl
@@ -46,14 +46,6 @@ setup() ->
     couch_db:ensure_full_commit(Db),
     couch_db:close(Db),
 
-    test_util:with_process_restart(couch_httpd, fun() ->
-        config:set("httpd_global_handlers", "_utils",
-            "{couch_httpd_misc_handlers, handle_utils_dir_req, <<\""
-                ++ ?TEMPDIR
-                ++ "\">>}"
-        )
-    end),
-
     Addr = config:get("httpd", "bind_address", "127.0.0.1"),
     Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)),
     Url = "http://" ++ Addr ++ ":" ++ Port,
@@ -76,7 +68,6 @@ vhosts_test_() ->
                 [
                     fun should_return_database_info/1,
                     fun should_return_revs_info/1,
-                    fun should_serve_utils_for_vhost/1,
                     fun should_return_virtual_request_path_field_in_request/1,
                     fun should_return_real_request_path_field_in_request/1,
                     fun should_match_wildcard_vhost/1,
@@ -122,22 +113,6 @@ should_return_revs_info({Url, DbName}) ->
         end
     end).
 
-should_serve_utils_for_vhost({Url, DbName}) ->
-    ?_test(begin
-        ok = config:set("vhosts", "example.com", "/" ++ DbName, false),
-        ensure_index_file(),
-        case test_request:get(Url ++ "/_utils/index.html", [],
-                              [{host_header, "example.com"}]) of
-            {ok, _, _, Body} ->
-                ?assertMatch(<<"<!DOCTYPE html>", _/binary>>, Body);
-            Else ->
-                erlang:error({assertion_failed,
-                             [{module, ?MODULE},
-                              {line, ?LINE},
-                              {reason, ?iofmt("Request failed: ~p", [Else])}]})
-        end
-    end).
-
 should_return_virtual_request_path_field_in_request({Url, DbName}) ->
     ?_test(begin
         ok = config:set("vhosts", "example1.com",

-- 
To stop receiving notification emails like this one, please contact
wohali@apache.org.