You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/02 17:30:40 UTC
[1/2] chttpd commit: updated refs/heads/master to 33f75ea
Repository: couchdb-chttpd
Updated Branches:
refs/heads/master 2fba00db0 -> 33f75ea2b
check POST requests for valid json header
validate that all POST requests with json body must have also have valid
json header: {"Content-Type": "application/json"}
This ensures a basic protection against CSRF
JIRA: COUCHDB-2775
Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/c903b52e
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/c903b52e
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/c903b52e
Branch: refs/heads/master
Commit: c903b52e063d89f84c4f87ad41bab1369bd88bf4
Parents: 40cfa61
Author: Mayya Sharipova <ma...@ca.ibm.com>
Authored: Mon Aug 17 10:12:46 2015 -0400
Committer: Mayya Sharipova <ma...@ca.ibm.com>
Committed: Tue Aug 18 07:32:19 2015 -0400
----------------------------------------------------------------------
src/chttpd.erl | 6 +++++-
src/chttpd_db.erl | 14 +++++++++-----
src/chttpd_misc.erl | 3 ++-
src/chttpd_show.erl | 2 ++
src/chttpd_view.erl | 1 +
5 files changed, 19 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd.erl
----------------------------------------------------------------------
diff --git a/src/chttpd.erl b/src/chttpd.erl
index 52400ca..f9a83a7 100644
--- a/src/chttpd.erl
+++ b/src/chttpd.erl
@@ -26,7 +26,8 @@
start_response_length/4, send/2, start_json_response/2,
start_json_response/3, end_json_response/1, send_response/4,
send_method_not_allowed/2, send_error/2, send_error/4, send_redirect/2,
- send_chunked_error/2, send_json/2,send_json/3,send_json/4]).
+ send_chunked_error/2, send_json/2,send_json/3,send_json/4,
+ validate_ctype/2]).
-export([authenticate_request/3]).
@@ -561,6 +562,9 @@ body(#httpd{mochi_req=MochiReq, req_body=ReqBody}) ->
ReqBody
end.
+validate_ctype(Req, Ctype) ->
+ couch_httpd:validate_ctype(Req, Ctype).
+
json_body(Httpd) ->
case body(Httpd) of
undefined ->
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_db.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_db.erl b/src/chttpd_db.erl
index a8fdc16..f45af6c 100644
--- a/src/chttpd_db.erl
+++ b/src/chttpd_db.erl
@@ -73,7 +73,7 @@ handle_request(#httpd{path_parts=[DbName|RestParts],method=Method}=Req)->
end.
handle_changes_req(#httpd{method='POST'}=Req, Db) ->
- couch_httpd:validate_ctype(Req, "application/json"),
+ chttpd:validate_ctype(Req, "application/json"),
handle_changes_req1(Req, Db);
handle_changes_req(#httpd{method='GET'}=Req, Db) ->
handle_changes_req1(Req, Db);
@@ -303,7 +303,7 @@ db_req(#httpd{method='GET',path_parts=[DbName]}=Req, _Db) ->
send_json(Req, {DbInfo});
db_req(#httpd{method='POST', path_parts=[DbName], user_ctx=Ctx}=Req, Db) ->
- couch_httpd:validate_ctype(Req, "application/json"),
+ chttpd:validate_ctype(Req, "application/json"),
W = chttpd:qs_value(Req, "w", integer_to_list(mem3:quorum(Db))),
Options = [{user_ctx,Ctx}, {w,W}],
@@ -352,6 +352,7 @@ db_req(#httpd{path_parts=[_DbName]}=Req, _Db) ->
send_method_not_allowed(Req, "DELETE,GET,HEAD,POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_ensure_full_commit">>]}=Req, _Db) ->
+ chttpd:validate_ctype(Req, "application/json"),
send_json(Req, 201, {[
{ok, true},
{instance_start_time, <<"0">>}
@@ -362,7 +363,7 @@ db_req(#httpd{path_parts=[_,<<"_ensure_full_commit">>]}=Req, _Db) ->
db_req(#httpd{method='POST',path_parts=[_,<<"_bulk_docs">>], user_ctx=Ctx}=Req, Db) ->
couch_stats:increment_counter([couchdb, httpd, bulk_requests]),
- couch_httpd:validate_ctype(Req, "application/json"),
+ chttpd:validate_ctype(Req, "application/json"),
{JsonProps} = chttpd:json_body_obj(Req),
DocsArray = case couch_util:get_value(<<"docs">>, JsonProps) of
undefined ->
@@ -437,7 +438,7 @@ db_req(#httpd{path_parts=[_,<<"_bulk_docs">>]}=Req, _Db) ->
send_method_not_allowed(Req, "POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_purge">>]}=Req, Db) ->
- couch_httpd:validate_ctype(Req, "application/json"),
+ chttpd:validate_ctype(Req, "application/json"),
{IdsRevs} = chttpd:json_body_obj(Req),
IdsRevs2 = [{Id, couch_doc:parse_revs(Revs)} || {Id, Revs} <- IdsRevs],
case fabric:purge_docs(Db, IdsRevs2) of
@@ -466,6 +467,7 @@ db_req(#httpd{method='GET',path_parts=[_,OP]}=Req, Db) when ?IS_ALL_DOCS(OP) ->
end;
db_req(#httpd{method='POST',path_parts=[_,OP]}=Req, Db) when ?IS_ALL_DOCS(OP) ->
+ chttpd:validate_ctype(Req, "application/json"),
{Fields} = chttpd:json_body_obj(Req),
case couch_util:get_value(<<"keys">>, Fields, nil) of
Keys when is_list(Keys) ->
@@ -480,6 +482,7 @@ db_req(#httpd{path_parts=[_,OP]}=Req, _Db) when ?IS_ALL_DOCS(OP) ->
send_method_not_allowed(Req, "GET,HEAD,POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_missing_revs">>]}=Req, Db) ->
+ chttpd:validate_ctype(Req, "application/json"),
{JsonDocIdRevs} = chttpd:json_body_obj(Req),
{ok, Results} = fabric:get_missing_revs(Db, JsonDocIdRevs),
Results2 = [{Id, couch_doc:revs_to_strs(Revs)} || {Id, Revs, _} <- Results],
@@ -491,6 +494,7 @@ db_req(#httpd{path_parts=[_,<<"_missing_revs">>]}=Req, _Db) ->
send_method_not_allowed(Req, "POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_revs_diff">>]}=Req, Db) ->
+ chttpd:validate_ctype(Req, "application/json"),
{JsonDocIdRevs} = chttpd:json_body_obj(Req),
{ok, Results} = fabric:get_missing_revs(Db, JsonDocIdRevs),
Results2 =
@@ -664,7 +668,7 @@ db_doc_req(#httpd{method='GET'}=Req, Db, DocId) ->
db_doc_req(#httpd{method='POST', user_ctx=Ctx}=Req, Db, DocId) ->
couch_httpd:validate_referer(Req),
couch_doc:validate_docid(DocId),
- couch_httpd:validate_ctype(Req, "multipart/form-data"),
+ chttpd:validate_ctype(Req, "multipart/form-data"),
W = chttpd:qs_value(Req, "w", integer_to_list(mem3:quorum(Db))),
Options = [{user_ctx,Ctx}, {w,W}],
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_misc.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_misc.erl b/src/chttpd_misc.erl
index 2d058ad..0937baf 100644
--- a/src/chttpd_misc.erl
+++ b/src/chttpd_misc.erl
@@ -140,7 +140,7 @@ handle_task_status_req(Req) ->
send_method_not_allowed(Req, "GET,HEAD").
handle_replicate_req(#httpd{method='POST', user_ctx=Ctx} = Req) ->
- couch_httpd:validate_ctype(Req, "application/json"),
+ chttpd:validate_ctype(Req, "application/json"),
%% see HACK in chttpd.erl about replication
PostBody = get(post_body),
try replicate(PostBody, Ctx) of
@@ -216,6 +216,7 @@ choose_node(Key) ->
choose_node(term_to_binary(Key)).
handle_reload_query_servers_req(#httpd{method='POST'}=Req) ->
+ chttpd:validate_ctype(Req, "application/json"),
ok = couch_proc_manager:reload(),
send_json(Req, 200, {[{ok, true}]});
handle_reload_query_servers_req(Req) ->
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_show.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_show.erl b/src/chttpd_show.erl
index 4254e7a..924221a 100644
--- a/src/chttpd_show.erl
+++ b/src/chttpd_show.erl
@@ -169,6 +169,7 @@ handle_view_list_req(#httpd{method='GET'}=Req, _Db, _DDoc) ->
handle_view_list_req(#httpd{method='POST',
path_parts=[_, _, DesignName, _, ListName, ViewName]}=Req, Db, DDoc) ->
+ chttpd:validate_ctype(Req, "application/json"),
ReqBody = chttpd:body(Req),
{Props2} = ?JSON_DECODE(ReqBody),
Keys = proplists:get_value(<<"keys">>, Props2, undefined),
@@ -177,6 +178,7 @@ handle_view_list_req(#httpd{method='POST',
handle_view_list_req(#httpd{method='POST',
path_parts=[_, _, _, _, ListName, DesignName, ViewName]}=Req, Db, DDoc) ->
+ chttpd:validate_ctype(Req, "application/json"),
ReqBody = chttpd:body(Req),
{Props2} = ?JSON_DECODE(ReqBody),
Keys = proplists:get_value(<<"keys">>, Props2, undefined),
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_view.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_view.erl b/src/chttpd_view.erl
index bb98fec..10b2de9 100644
--- a/src/chttpd_view.erl
+++ b/src/chttpd_view.erl
@@ -70,6 +70,7 @@ handle_view_req(#httpd{method='GET',
handle_view_req(#httpd{method='POST',
path_parts=[_, _, _, _, ViewName]}=Req, Db, DDoc) ->
+ chttpd:validate_ctype(Req, "application/json"),
Props = couch_httpd:json_body_obj(Req),
Keys = couch_mrview_util:get_view_keys(Props),
Queries = couch_mrview_util:get_view_queries(Props),
[2/2] chttpd commit: updated refs/heads/master to 33f75ea
Posted by rn...@apache.org.
Merge remote-tracking branch 'cloudant/2775-post-valid-json-header'
Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/33f75ea2
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/33f75ea2
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/33f75ea2
Branch: refs/heads/master
Commit: 33f75ea2be4fe3931027e327c7919a8d1ddbf287
Parents: 2fba00d c903b52
Author: Robert Newson <rn...@apache.org>
Authored: Wed Sep 2 16:30:18 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Wed Sep 2 16:30:18 2015 +0100
----------------------------------------------------------------------
src/chttpd.erl | 6 +++++-
src/chttpd_db.erl | 14 +++++++++-----
src/chttpd_misc.erl | 3 ++-
src/chttpd_show.erl | 2 ++
src/chttpd_view.erl | 1 +
5 files changed, 19 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd.erl
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd_db.erl
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd_misc.erl
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd_view.erl
----------------------------------------------------------------------