You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wo...@apache.org on 2018/03/03 01:39:46 UTC
[couchdb] 01/01: Prevent access to Fauxton on node-local port (5986)
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 1198-no-5986-fauxton
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 2b2c8add41147a2e86e04ad57805ca8e5d77472a
Author: Joan Touzet <jo...@atypical.net>
AuthorDate: Fri Mar 2 19:12:56 2018 -0500
Prevent access to Fauxton on node-local port (5986)
Will help stop people shooting themselves in the foot and/or using
node-local CouchDB as their "main" CouchDB port.
Closes #1198
---
src/couch/src/couch_httpd_misc_handlers.erl | 17 +-----
src/couch/test/couchdb_csp_tests.erl | 82 -----------------------------
src/couch/test/couchdb_vhosts_tests.erl | 25 ---------
3 files changed, 2 insertions(+), 122 deletions(-)
diff --git a/src/couch/src/couch_httpd_misc_handlers.erl b/src/couch/src/couch_httpd_misc_handlers.erl
index ddc3d64..51dc2be 100644
--- a/src/couch/src/couch_httpd_misc_handlers.erl
+++ b/src/couch/src/couch_httpd_misc_handlers.erl
@@ -61,22 +61,9 @@ handle_file_req(#httpd{method='GET'}=Req, Document) ->
handle_file_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
-handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
- "/" ++ UrlPath = couch_httpd:path(Req),
- case couch_httpd:partition(UrlPath) of
- {_ActionKey, "/", RelativePath} ->
- % GET /_utils/path or GET /_utils/
- CachingHeaders = [{"Cache-Control", "private, must-revalidate"}],
- EnableCsp = config:get("csp", "enable", "false"),
- Headers = maybe_add_csp_headers(CachingHeaders, EnableCsp),
- couch_httpd:serve_file(Req, RelativePath, DocumentRoot, Headers);
- {_ActionKey, "", _RelativePath} ->
- % GET /_utils
- RedirectPath = couch_httpd:path(Req) ++ "/",
- couch_httpd:send_redirect(Req, RedirectPath)
- end;
handle_utils_dir_req(Req, _) ->
- send_method_not_allowed(Req, "GET,HEAD").
+ send_error(Req, 410, <<"no_node_local_fauxton">>,
+ ?l2b("The web interface is no longer available on the node-local port.")).
maybe_add_csp_headers(Headers, "true") ->
DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; "
diff --git a/src/couch/test/couchdb_csp_tests.erl b/src/couch/test/couchdb_csp_tests.erl
deleted file mode 100644
index 5eb33f9..0000000
--- a/src/couch/test/couchdb_csp_tests.erl
+++ /dev/null
@@ -1,82 +0,0 @@
-% Licensed under the Apache License, Version 2.0 (the "License"); you may not
-% use this file except in compliance with the License. You may obtain a copy of
-% the License at
-%
-% http://www.apache.org/licenses/LICENSE-2.0
-%
-% Unless required by applicable law or agreed to in writing, software
-% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-% License for the specific language governing permissions and limitations under
-% the License.
-
--module(couchdb_csp_tests).
-
--include_lib("couch/include/couch_eunit.hrl").
-
--define(TIMEOUT, 1000).
-
-
-setup() ->
- ok = config:set("csp", "enable", "true", false),
- Addr = config:get("httpd", "bind_address", "127.0.0.1"),
- Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)),
- lists:concat(["http://", Addr, ":", Port, "/_utils/"]).
-
-teardown(_) ->
- ok.
-
-
-csp_test_() ->
- {
- "Content Security Policy tests",
- {
- setup,
- fun test_util:start_couch/0, fun test_util:stop_couch/1,
- {
- foreach,
- fun setup/0, fun teardown/1,
- [
- fun should_not_return_any_csp_headers_when_disabled/1,
- fun should_apply_default_policy/1,
- fun should_return_custom_policy/1,
- fun should_only_enable_csp_when_true/1
- ]
- }
- }
- }.
-
-
-should_not_return_any_csp_headers_when_disabled(Url) ->
- ?_assertEqual(undefined,
- begin
- ok = config:set("csp", "enable", "false", false),
- {ok, _, Headers, _} = test_request:get(Url),
- proplists:get_value("Content-Security-Policy", Headers)
- end).
-
-should_apply_default_policy(Url) ->
- ?_assertEqual(
- "default-src 'self'; img-src 'self' data:; font-src 'self'; "
- "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
- begin
- {ok, _, Headers, _} = test_request:get(Url),
- proplists:get_value("Content-Security-Policy", Headers)
- end).
-
-should_return_custom_policy(Url) ->
- ?_assertEqual("default-src 'http://example.com';",
- begin
- ok = config:set("csp", "header_value",
- "default-src 'http://example.com';", false),
- {ok, _, Headers, _} = test_request:get(Url),
- proplists:get_value("Content-Security-Policy", Headers)
- end).
-
-should_only_enable_csp_when_true(Url) ->
- ?_assertEqual(undefined,
- begin
- ok = config:set("csp", "enable", "tru", false),
- {ok, _, Headers, _} = test_request:get(Url),
- proplists:get_value("Content-Security-Policy", Headers)
- end).
diff --git a/src/couch/test/couchdb_vhosts_tests.erl b/src/couch/test/couchdb_vhosts_tests.erl
index dfac73c..2562a06 100644
--- a/src/couch/test/couchdb_vhosts_tests.erl
+++ b/src/couch/test/couchdb_vhosts_tests.erl
@@ -46,14 +46,6 @@ setup() ->
couch_db:ensure_full_commit(Db),
couch_db:close(Db),
- test_util:with_process_restart(couch_httpd, fun() ->
- config:set("httpd_global_handlers", "_utils",
- "{couch_httpd_misc_handlers, handle_utils_dir_req, <<\""
- ++ ?TEMPDIR
- ++ "\">>}"
- )
- end),
-
Addr = config:get("httpd", "bind_address", "127.0.0.1"),
Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)),
Url = "http://" ++ Addr ++ ":" ++ Port,
@@ -76,7 +68,6 @@ vhosts_test_() ->
[
fun should_return_database_info/1,
fun should_return_revs_info/1,
- fun should_serve_utils_for_vhost/1,
fun should_return_virtual_request_path_field_in_request/1,
fun should_return_real_request_path_field_in_request/1,
fun should_match_wildcard_vhost/1,
@@ -122,22 +113,6 @@ should_return_revs_info({Url, DbName}) ->
end
end).
-should_serve_utils_for_vhost({Url, DbName}) ->
- ?_test(begin
- ok = config:set("vhosts", "example.com", "/" ++ DbName, false),
- ensure_index_file(),
- case test_request:get(Url ++ "/_utils/index.html", [],
- [{host_header, "example.com"}]) of
- {ok, _, _, Body} ->
- ?assertMatch(<<"<!DOCTYPE html>", _/binary>>, Body);
- Else ->
- erlang:error({assertion_failed,
- [{module, ?MODULE},
- {line, ?LINE},
- {reason, ?iofmt("Request failed: ~p", [Else])}]})
- end
- end).
-
should_return_virtual_request_path_field_in_request({Url, DbName}) ->
?_test(begin
ok = config:set("vhosts", "example1.com",
--
To stop receiving notification emails like this one, please contact
wohali@apache.org.