You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Martin Hilbig (JIRA)" <ji...@apache.org> on 2011/01/23 12:30:45 UTC

[jira] Commented: (COUCHDB-759) rewriter should be securely jailed in a single database by default

    [ https://issues.apache.org/jira/browse/COUCHDB-759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12985296#action_12985296 ] 

Martin Hilbig commented on COUCHDB-759:
---------------------------------------

hi,

i would like to see this bug reopend, since the rewriter jail can be easily broken
when there is a rewrite rule with an *. consider this one:

{
    "from": "/doc/*",
    "to": "/../../*",
    "method": "GET"
 }

this rewrite rule provides cross-db access like these (even behind a vhost):

http://vhost.localhost:5984/doc/../../../../../otherdb/docid
http://vhost.localhost:5984/doc/../../../../../_all_dbs

so i propose that either rewrite rules with an asterix in them should be 
considered insecure (and therefore catched by secure_rewrites option) or
(even better) couchdb should forbid requests with to many .. in them.

have fun

> rewriter should be securely jailed in a single database by default
> ------------------------------------------------------------------
>
>                 Key: COUCHDB-759
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-759
>             Project: CouchDB
>          Issue Type: Bug
>            Reporter: Chris Anderson
>
> This will allow us to isolate databases using vhosts and the browser's single-origin policy.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.