You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Martin Murphy <ma...@whiteboard-it.com> on 2010/08/24 06:26:18 UTC
Bug in Password
Couchdb does not properly url decode usernames and passwords in the url.
This prevents the majority of non ASCII characters from being used in either
the username and password . This is a pretty high priority bug imo.
It prevents couchapp for working on complex passwords and there are no
alternatives using complex passwords for replication.
It also prevents the very common scenario of using email addresses for
logins/usernames. (If the logins are to be used with replication).
Thanks for everything. Wish my erlang were better, I would fix this myself.
Re: Bug in Password
Posted by Benoit Chesneau <bc...@gmail.com>.
On Wed, Aug 25, 2010 at 8:13 PM, Martin Murphy
<ma...@whiteboard-it.com> wrote:
> Steps to reproduce..
>
> Sign up for a new user in futon with
> username.= test@test.com
> password = test
>
> curl -vX PUT http://test%40test.com:test@localhost:5984/db
>
> The reason that this is important is because usernames with ANY encodable
> characters cannot replicate at the moment.
>
>
Mating can you provide the result of curl
http://localhost:5984/_users/org.couchdb.user:test0%40test.com ?
I think we may not decode the username when testing it. Can't confirm
right now but I will check tomorrow. Also could you open a ticket in
jira ? Better for tracking such stuff .
- benoit
Re: Bug in Password
Posted by Martin Murphy <ma...@whiteboard-it.com>.
Steps to reproduce..
Sign up for a new user in futon with
username.= test@test.com
password = test
curl -vX PUT http://test%40test.com:test@localhost:5984/db
The reason that this is important is because usernames with ANY encodable
characters cannot replicate at the moment.
On Tue, Aug 24, 2010 at 11:20 AM, Nathan Stott <nr...@gmail.com> wrote:
> That is the id, but I was referring to the "name" field.
>
> {
> "_id": "org.couchdb.user:nrstott@gmail.com<or...@gmail.com>
> ",
> "_rev": "1-fbc8402aa4d61bf0acd04ab8763760e4",
> "name": "nrstott@gmail.com",
> "type": "user",
> "roles": [
> ]
> }
>
> That's the actual document.
>
> On Tue, Aug 24, 2010 at 8:44 AM, Benoit Chesneau <bc...@gmail.com>
> wrote:
> > On Tue, Aug 24, 2010 at 3:32 PM, Nathan Stott <nr...@gmail.com> wrote:
> >> It's saved in couch like "username@example.com"
> >>
> >> I have saved users named "nrstott@gmail.com" for example and that's
> >> how it shows up in the "name" field in the user doc
> >>
> >> On Tue, Aug 24, 2010 at 4:43 AM, Benoit Chesneau <bc...@gmail.com>
> wrote:
> >>> On Tue, Aug 24, 2010 at 8:08 AM, Nathan Stott <nr...@gmail.com>
> wrote:
> >>>> You can reproduce it easily using curl or a web browser. If your
> >>>> username has an @ in it, you can't use URL authentication successfully
> >>>> even if you url encode the username.
> >>>>
> >>>
> >>> At the end couchdb see only the headers. So maybe it's the way the
> >>> user was saved in the doc. Can you check how it is saved compared to
> >>> the pparam you pass in your client or browser ?
> >>>
> >>> - benoît
> >>
> >
> > I think it should be org.couchdb.user:username as id in user db. Need
> > to check though.
> >
> > - benoit
> >
>
--
Martin Murphy
Whiteboard-it
(205) 910-0720
Re: Bug in Password
Posted by Nathan Stott <nr...@gmail.com>.
That is the id, but I was referring to the "name" field.
{
"_id": "org.couchdb.user:nrstott@gmail.com",
"_rev": "1-fbc8402aa4d61bf0acd04ab8763760e4",
"name": "nrstott@gmail.com",
"type": "user",
"roles": [
]
}
That's the actual document.
On Tue, Aug 24, 2010 at 8:44 AM, Benoit Chesneau <bc...@gmail.com> wrote:
> On Tue, Aug 24, 2010 at 3:32 PM, Nathan Stott <nr...@gmail.com> wrote:
>> It's saved in couch like "username@example.com"
>>
>> I have saved users named "nrstott@gmail.com" for example and that's
>> how it shows up in the "name" field in the user doc
>>
>> On Tue, Aug 24, 2010 at 4:43 AM, Benoit Chesneau <bc...@gmail.com> wrote:
>>> On Tue, Aug 24, 2010 at 8:08 AM, Nathan Stott <nr...@gmail.com> wrote:
>>>> You can reproduce it easily using curl or a web browser. If your
>>>> username has an @ in it, you can't use URL authentication successfully
>>>> even if you url encode the username.
>>>>
>>>
>>> At the end couchdb see only the headers. So maybe it's the way the
>>> user was saved in the doc. Can you check how it is saved compared to
>>> the pparam you pass in your client or browser ?
>>>
>>> - benoît
>>
>
> I think it should be org.couchdb.user:username as id in user db. Need
> to check though.
>
> - benoit
>
Re: Bug in Password
Posted by Benoit Chesneau <bc...@gmail.com>.
On Tue, Aug 24, 2010 at 3:32 PM, Nathan Stott <nr...@gmail.com> wrote:
> It's saved in couch like "username@example.com"
>
> I have saved users named "nrstott@gmail.com" for example and that's
> how it shows up in the "name" field in the user doc
>
> On Tue, Aug 24, 2010 at 4:43 AM, Benoit Chesneau <bc...@gmail.com> wrote:
>> On Tue, Aug 24, 2010 at 8:08 AM, Nathan Stott <nr...@gmail.com> wrote:
>>> You can reproduce it easily using curl or a web browser. If your
>>> username has an @ in it, you can't use URL authentication successfully
>>> even if you url encode the username.
>>>
>>
>> At the end couchdb see only the headers. So maybe it's the way the
>> user was saved in the doc. Can you check how it is saved compared to
>> the pparam you pass in your client or browser ?
>>
>> - benoît
>
I think it should be org.couchdb.user:username as id in user db. Need
to check though.
- benoit
Re: Bug in Password
Posted by Nathan Stott <nr...@gmail.com>.
It's saved in couch like "username@example.com"
I have saved users named "nrstott@gmail.com" for example and that's
how it shows up in the "name" field in the user doc
On Tue, Aug 24, 2010 at 4:43 AM, Benoit Chesneau <bc...@gmail.com> wrote:
> On Tue, Aug 24, 2010 at 8:08 AM, Nathan Stott <nr...@gmail.com> wrote:
>> You can reproduce it easily using curl or a web browser. If your
>> username has an @ in it, you can't use URL authentication successfully
>> even if you url encode the username.
>>
>
> At the end couchdb see only the headers. So maybe it's the way the
> user was saved in the doc. Can you check how it is saved compared to
> the pparam you pass in your client or browser ?
>
> - benoît
Re: Bug in Password
Posted by Benoit Chesneau <bc...@gmail.com>.
On Tue, Aug 24, 2010 at 8:08 AM, Nathan Stott <nr...@gmail.com> wrote:
> You can reproduce it easily using curl or a web browser. If your
> username has an @ in it, you can't use URL authentication successfully
> even if you url encode the username.
>
At the end couchdb see only the headers. So maybe it's the way the
user was saved in the doc. Can you check how it is saved compared to
the pparam you pass in your client or browser ?
- benoît
Re: Bug in Password
Posted by Nathan Stott <nr...@gmail.com>.
You can reproduce it easily using curl or a web browser. If your
username has an @ in it, you can't use URL authentication successfully
even if you url encode the username.
On Tue, Aug 24, 2010 at 12:49 AM, Benoit Chesneau <bc...@gmail.com> wrote:
> On Tue, Aug 24, 2010 at 6:26 AM, Martin Murphy
> <ma...@whiteboard-it.com> wrote:
>> Couchdb does not properly url decode usernames and passwords in the url.
>>
>> This prevents the majority of non ASCII characters from being used in either
>> the username and password . This is a pretty high priority bug imo.
>>
>> It prevents couchapp for working on complex passwords and there are no
>> alternatives using complex passwords for replication.
>>
>> It also prevents the very common scenario of using email addresses for
>> logins/usernames. (If the logins are to be used with replication).
>>
>> Thanks for everything. Wish my erlang were better, I would fix this myself.
>>
>
> Mmm it is the role oof the client to decode url/password from the url
> and pass the right headers to servers. Which client are you using ?
>
> - benoit
>
Re: Bug in Password
Posted by Benoit Chesneau <bc...@gmail.com>.
On Tue, Aug 24, 2010 at 6:26 AM, Martin Murphy
<ma...@whiteboard-it.com> wrote:
> Couchdb does not properly url decode usernames and passwords in the url.
>
> This prevents the majority of non ASCII characters from being used in either
> the username and password . This is a pretty high priority bug imo.
>
> It prevents couchapp for working on complex passwords and there are no
> alternatives using complex passwords for replication.
>
> It also prevents the very common scenario of using email addresses for
> logins/usernames. (If the logins are to be used with replication).
>
> Thanks for everything. Wish my erlang were better, I would fix this myself.
>
Mmm it is the role oof the client to decode url/password from the url
and pass the right headers to servers. Which client are you using ?
- benoit
Re: Bug in Password
Posted by J Chris Anderson <jc...@apache.org>.
On Aug 23, 2010, at 9:26 PM, Martin Murphy wrote:
> Couchdb does not properly url decode usernames and passwords in the url.
>
> This prevents the majority of non ASCII characters from being used in either
> the username and password . This is a pretty high priority bug imo.
>
> It prevents couchapp for working on complex passwords and there are no
> alternatives using complex passwords for replication.
>
> It also prevents the very common scenario of using email addresses for
> logins/usernames. (If the logins are to be used with replication).
>
> Thanks for everything. Wish my erlang were better, I would fix this myself.
can you create a javascript test case for this? modifying one of these files is the best way to make sure your bug is fixed.
http://svn.apache.org/repos/asf/couchdb/trunk/share/www/script/test/
Thanks,
Chris