You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by kx...@apache.org on 2015/09/28 16:49:36 UTC
[07/39] couchdb commit: updated refs/heads/developer-preview-2.0 to
3ac3db6
Use POST requests to verify CSRF
Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/68e83c23
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/68e83c23
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/68e83c23
Branch: refs/heads/developer-preview-2.0
Commit: 68e83c23b0ac24f7f3245894a3765a5649718880
Parents: b3c5367
Author: Robert Newson <rn...@apache.org>
Authored: Mon Aug 10 20:11:47 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Mon Aug 10 20:11:47 2015 +0100
----------------------------------------------------------------------
test/javascript/tests/csrf.js | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/68e83c23/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
index 9baef82..9799d6f 100644
--- a/test/javascript/tests/csrf.js
+++ b/test/javascript/tests/csrf.js
@@ -11,12 +11,17 @@
// the License.
couchTests.csrf = function(debug) {
+ var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
+ db.deleteDb();
+ db.createDb();
+
if (debug) debugger;
// Handy function to cause CouchDB to delete the CSRF cookie
var deleteCsrf = function() {
- var xhr = CouchDB.request("GET", "/",
- {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+ var xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
+ body: '{"keys": []}',
+ headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
TEquals(403, xhr.status);
};
@@ -26,7 +31,9 @@ couchTests.csrf = function(debug) {
TEquals(200, xhr.status);
// Matching but invalid cookie/header should 403
- xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+ xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {
+ body: '{"keys": []}',
+ headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
TEquals(403, xhr.status);
TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header");
@@ -36,17 +43,19 @@ couchTests.csrf = function(debug) {
T(cookie, "Should receive cookie");
// If I have a cookie, do I get a 403 if I don't send the header?
- xhr = CouchDB.request("GET", "/");
+ xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}'});
TEquals(403, xhr.status);
TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
// If I have a cookie, do I get a 200 if I send a matching header?
- xhr = CouchDB.request("GET", "/", {headers: {"X-CouchDB-CSRF": cookie[1]}});
+ xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
+ headers: {"X-CouchDB-CSRF": cookie[1]}});
TEquals(200, xhr.status);
TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this");
// How about the wrong header?
- xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo'}});
+ xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}',
+ headers: {'X-CouchDB-CSRF': 'foo'}});
TEquals(403, xhr.status);
TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");