You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Martin Hilbig (JIRA)" <ji...@apache.org> on 2011/01/23 12:30:45 UTC
[jira] Commented: (COUCHDB-759) rewriter should be securely jailed
in a single database by default
[ https://issues.apache.org/jira/browse/COUCHDB-759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12985296#action_12985296 ]
Martin Hilbig commented on COUCHDB-759:
---------------------------------------
hi,
i would like to see this bug reopend, since the rewriter jail can be easily broken
when there is a rewrite rule with an *. consider this one:
{
"from": "/doc/*",
"to": "/../../*",
"method": "GET"
}
this rewrite rule provides cross-db access like these (even behind a vhost):
http://vhost.localhost:5984/doc/../../../../../otherdb/docid
http://vhost.localhost:5984/doc/../../../../../_all_dbs
so i propose that either rewrite rules with an asterix in them should be
considered insecure (and therefore catched by secure_rewrites option) or
(even better) couchdb should forbid requests with to many .. in them.
have fun
> rewriter should be securely jailed in a single database by default
> ------------------------------------------------------------------
>
> Key: COUCHDB-759
> URL: https://issues.apache.org/jira/browse/COUCHDB-759
> Project: CouchDB
> Issue Type: Bug
> Reporter: Chris Anderson
>
> This will allow us to isolate databases using vhosts and the browser's single-origin policy.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.