You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2018/07/13 15:44:18 UTC

[couchdb] 01/06: config: improve handling of admin-supplied changes

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch fix/2.1.2-sec
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 5f34f6a6f0909196c484abaa858bfb745b52f5a0
Author: Dave Cottlehuber <dc...@apache.org>
AuthorDate: Mon Apr 30 10:10:26 2018 +0000

    config: improve handling of admin-supplied changes
    
    - send a readable error response from failed config set
    - trust but verify admin-supplied content in separate function
    - return specific error conditions for logging
---
 src/chttpd/src/chttpd_misc.erl              | 10 +++++++---
 src/couch/src/couch_httpd_misc_handlers.erl |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl
index 253da23..7be8a49 100644
--- a/src/chttpd/src/chttpd_misc.erl
+++ b/src/chttpd/src/chttpd_misc.erl
@@ -293,11 +293,15 @@ handle_node_req(#httpd{path_parts=[_, _Node, <<"_config">>, _Section]}=Req) ->
 % "value"
 handle_node_req(#httpd{method='PUT', path_parts=[_, Node, <<"_config">>, Section, Key]}=Req) ->
     couch_util:check_config_blacklist(Section),
-    Value = chttpd:json_body(Req),
+    Value = string:trim(chttpd:json_body(Req)),
     Persist = chttpd:header_value(Req, "X-Couch-Persist") /= "false",
     OldValue = call_node(Node, config, get, [Section, Key, ""]),
-    ok = call_node(Node, config, set, [Section, Key, ?b2l(Value), Persist]),
-    send_json(Req, 200, list_to_binary(OldValue));
+    case call_node(Node, config, set, [Section, Key, ?b2l(Value), Persist]) of
+        ok ->
+            send_json(Req, 200, list_to_binary(OldValue));
+        {error, Reason} ->
+            chttpd:send_error(Req, {bad_request, Reason})
+    end;
 % GET /_node/$node/_config/Section/Key
 handle_node_req(#httpd{method='GET', path_parts=[_, Node, <<"_config">>, Section, Key]}=Req) ->
     case call_node(Node, config, get, [Section, Key, undefined]) of
diff --git a/src/couch/src/couch_httpd_misc_handlers.erl b/src/couch/src/couch_httpd_misc_handlers.erl
index e2fc9f2..258f1b2 100644
--- a/src/couch/src/couch_httpd_misc_handlers.erl
+++ b/src/couch/src/couch_httpd_misc_handlers.erl
@@ -262,7 +262,7 @@ handle_approved_config_req(#httpd{method='PUT', path_parts=[_, Section, Key]}=Re
         <<"admins">> ->
             couch_passwords:hash_admin_password(RawValue);
         _ ->
-            RawValue
+            string:trim(RawValue)
         end
     end,
     OldValue = config:get(Section, Key, ""),