You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by rn...@apache.org on 2014/07/03 17:52:52 UTC

[1/2] couch commit: updated refs/heads/master to c10fe5e

Repository: couchdb-couch
Updated Branches:
  refs/heads/master c9a3fc150 -> c10fe5edf


Fix error message

Small typo in the error message. Was ?=rev but should
read ?rev=


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/ef3043ba
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/ef3043ba
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/ef3043ba

Branch: refs/heads/master
Commit: ef3043bac92fd126a5be1dd6575dd50318a11125
Parents: c9a3fc1
Author: Andy Wenk <an...@apache.org>
Authored: Fri Mar 21 23:16:55 2014 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Jul 3 16:48:56 2014 +0100

----------------------------------------------------------------------
 src/couch_httpd_db.erl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/ef3043ba/src/couch_httpd_db.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_db.erl b/src/couch_httpd_db.erl
index ad8654a..4c113e5 100644
--- a/src/couch_httpd_db.erl
+++ b/src/couch_httpd_db.erl
@@ -44,7 +44,7 @@ handle_request(#httpd{path_parts=[DbName|RestParts],method=Method,
         case couch_httpd:qs_value(Req, "rev", false) of
             false -> delete_db_req(Req, DbName);
             _Rev -> throw({bad_request,
-                "You tried to DELETE a database with a ?=rev parameter. "
+                "You tried to DELETE a database with a ?rev= parameter. "
                 ++ "Did you mean to DELETE a document instead?"})
         end;
     {_, []} ->

[2/2] couch commit: updated refs/heads/master to c10fe5e

Posted by rn...@apache.org.

Add Experimental Content-Security-Policy-Support (CSP) for Fauxton

Like every web application, Fauxton is vulnerable against XSS and
CSP is a technology that tries to help against that.

The patch makes it possible to enable CSP for the /_utils path and
allows configuration of the sent header.

The default setting for the value of the header breaks the old
Futon, when CSP is enabled there. The old Futon has alot of
inline-JavaScript which is not allowed in the setting I have
chosen as default.

People can enable the feature by setting enable = true in the
section [csp] of their configs


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/c10fe5ed
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/c10fe5ed
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/c10fe5ed

Branch: refs/heads/master
Commit: c10fe5edfc0ffa10243353054b38c3ded444253e
Parents: ef3043b
Author: Robert Kowalski <ro...@kowalski.gd>
Authored: Sat May 17 18:37:30 2014 +0200
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Jul 3 16:51:23 2014 +0100

----------------------------------------------------------------------
 src/couch_httpd_misc_handlers.erl | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c10fe5ed/src/couch_httpd_misc_handlers.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_misc_handlers.erl b/src/couch_httpd_misc_handlers.erl
index 0cd7e7e..a49572b 100644
--- a/src/couch_httpd_misc_handlers.erl
+++ b/src/couch_httpd_misc_handlers.erl
@@ -68,9 +68,10 @@ handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
     case couch_httpd:partition(UrlPath) of
     {_ActionKey, "/", RelativePath} ->
         % GET /_utils/path or GET /_utils/
-        CachingHeaders =
-                [{"Cache-Control", "private, must-revalidate"}],
-        couch_httpd:serve_file(Req, RelativePath, DocumentRoot, CachingHeaders);
+        CachingHeaders = [{"Cache-Control", "private, must-revalidate"}],
+        EnableCsp = couch_config:get("csp", "enable", "false"),
+        Headers = maybe_add_csp_headers(CachingHeaders, EnableCsp),
+        couch_httpd:serve_file(Req, RelativePath, DocumentRoot, Headers);
     {_ActionKey, "", _RelativePath} ->
         % GET /_utils
         RedirectPath = couch_httpd:path(Req) ++ "/",
@@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
 handle_utils_dir_req(Req, _) ->
     send_method_not_allowed(Req, "GET,HEAD").
 
+maybe_add_csp_headers(Headers, "true") ->
+    DefaultValues = "default-src 'self'; img-src 'self'; font-src 'self'; "
+                    "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
+    Value = couch_config:get("csp", "header_value", DefaultValues),
+    [{"Content-Security-Policy", Value} | Headers];
+maybe_add_csp_headers(Headers, _) ->
+    Headers.
+
+
 handle_all_dbs_req(#httpd{method='GET'}=Req) ->
     {ok, DbNames} = couch_server:all_databases(),
     send_json(Req, DbNames);