You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/09/02 17:30:40 UTC

[1/2] chttpd commit: updated refs/heads/master to 33f75ea

Repository: couchdb-chttpd
Updated Branches:
  refs/heads/master 2fba00db0 -> 33f75ea2b


check POST requests for valid json header

validate that all POST requests with json body must have also have valid
json header: {"Content-Type": "application/json"}
This ensures a basic protection against CSRF

JIRA: COUCHDB-2775


Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/c903b52e
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/c903b52e
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/c903b52e

Branch: refs/heads/master
Commit: c903b52e063d89f84c4f87ad41bab1369bd88bf4
Parents: 40cfa61
Author: Mayya Sharipova <ma...@ca.ibm.com>
Authored: Mon Aug 17 10:12:46 2015 -0400
Committer: Mayya Sharipova <ma...@ca.ibm.com>
Committed: Tue Aug 18 07:32:19 2015 -0400

----------------------------------------------------------------------
 src/chttpd.erl      |  6 +++++-
 src/chttpd_db.erl   | 14 +++++++++-----
 src/chttpd_misc.erl |  3 ++-
 src/chttpd_show.erl |  2 ++
 src/chttpd_view.erl |  1 +
 5 files changed, 19 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd.erl
----------------------------------------------------------------------
diff --git a/src/chttpd.erl b/src/chttpd.erl
index 52400ca..f9a83a7 100644
--- a/src/chttpd.erl
+++ b/src/chttpd.erl
@@ -26,7 +26,8 @@
     start_response_length/4, send/2, start_json_response/2,
     start_json_response/3, end_json_response/1, send_response/4,
     send_method_not_allowed/2, send_error/2, send_error/4, send_redirect/2,
-    send_chunked_error/2, send_json/2,send_json/3,send_json/4]).
+    send_chunked_error/2, send_json/2,send_json/3,send_json/4,
+    validate_ctype/2]).
 
 -export([authenticate_request/3]).
 
@@ -561,6 +562,9 @@ body(#httpd{mochi_req=MochiReq, req_body=ReqBody}) ->
             ReqBody
     end.
 
+validate_ctype(Req, Ctype) ->
+    couch_httpd:validate_ctype(Req, Ctype).
+
 json_body(Httpd) ->
     case body(Httpd) of
         undefined ->

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_db.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_db.erl b/src/chttpd_db.erl
index a8fdc16..f45af6c 100644
--- a/src/chttpd_db.erl
+++ b/src/chttpd_db.erl
@@ -73,7 +73,7 @@ handle_request(#httpd{path_parts=[DbName|RestParts],method=Method}=Req)->
     end.
 
 handle_changes_req(#httpd{method='POST'}=Req, Db) ->
-    couch_httpd:validate_ctype(Req, "application/json"),
+    chttpd:validate_ctype(Req, "application/json"),
     handle_changes_req1(Req, Db);
 handle_changes_req(#httpd{method='GET'}=Req, Db) ->
     handle_changes_req1(Req, Db);
@@ -303,7 +303,7 @@ db_req(#httpd{method='GET',path_parts=[DbName]}=Req, _Db) ->
     send_json(Req, {DbInfo});
 
 db_req(#httpd{method='POST', path_parts=[DbName], user_ctx=Ctx}=Req, Db) ->
-    couch_httpd:validate_ctype(Req, "application/json"),
+    chttpd:validate_ctype(Req, "application/json"),
 
     W = chttpd:qs_value(Req, "w", integer_to_list(mem3:quorum(Db))),
     Options = [{user_ctx,Ctx}, {w,W}],
@@ -352,6 +352,7 @@ db_req(#httpd{path_parts=[_DbName]}=Req, _Db) ->
     send_method_not_allowed(Req, "DELETE,GET,HEAD,POST");
 
 db_req(#httpd{method='POST',path_parts=[_,<<"_ensure_full_commit">>]}=Req, _Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     send_json(Req, 201, {[
         {ok, true},
         {instance_start_time, <<"0">>}
@@ -362,7 +363,7 @@ db_req(#httpd{path_parts=[_,<<"_ensure_full_commit">>]}=Req, _Db) ->
 
 db_req(#httpd{method='POST',path_parts=[_,<<"_bulk_docs">>], user_ctx=Ctx}=Req, Db) ->
     couch_stats:increment_counter([couchdb, httpd, bulk_requests]),
-    couch_httpd:validate_ctype(Req, "application/json"),
+    chttpd:validate_ctype(Req, "application/json"),
     {JsonProps} = chttpd:json_body_obj(Req),
     DocsArray = case couch_util:get_value(<<"docs">>, JsonProps) of
     undefined ->
@@ -437,7 +438,7 @@ db_req(#httpd{path_parts=[_,<<"_bulk_docs">>]}=Req, _Db) ->
     send_method_not_allowed(Req, "POST");
 
 db_req(#httpd{method='POST',path_parts=[_,<<"_purge">>]}=Req, Db) ->
-    couch_httpd:validate_ctype(Req, "application/json"),
+    chttpd:validate_ctype(Req, "application/json"),
     {IdsRevs} = chttpd:json_body_obj(Req),
     IdsRevs2 = [{Id, couch_doc:parse_revs(Revs)} || {Id, Revs} <- IdsRevs],
     case fabric:purge_docs(Db, IdsRevs2) of
@@ -466,6 +467,7 @@ db_req(#httpd{method='GET',path_parts=[_,OP]}=Req, Db) when ?IS_ALL_DOCS(OP) ->
     end;
 
 db_req(#httpd{method='POST',path_parts=[_,OP]}=Req, Db) when ?IS_ALL_DOCS(OP) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {Fields} = chttpd:json_body_obj(Req),
     case couch_util:get_value(<<"keys">>, Fields, nil) of
     Keys when is_list(Keys) ->
@@ -480,6 +482,7 @@ db_req(#httpd{path_parts=[_,OP]}=Req, _Db) when ?IS_ALL_DOCS(OP) ->
     send_method_not_allowed(Req, "GET,HEAD,POST");
 
 db_req(#httpd{method='POST',path_parts=[_,<<"_missing_revs">>]}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {JsonDocIdRevs} = chttpd:json_body_obj(Req),
     {ok, Results} = fabric:get_missing_revs(Db, JsonDocIdRevs),
     Results2 = [{Id, couch_doc:revs_to_strs(Revs)} || {Id, Revs, _} <- Results],
@@ -491,6 +494,7 @@ db_req(#httpd{path_parts=[_,<<"_missing_revs">>]}=Req, _Db) ->
     send_method_not_allowed(Req, "POST");
 
 db_req(#httpd{method='POST',path_parts=[_,<<"_revs_diff">>]}=Req, Db) ->
+    chttpd:validate_ctype(Req, "application/json"),
     {JsonDocIdRevs} = chttpd:json_body_obj(Req),
     {ok, Results} = fabric:get_missing_revs(Db, JsonDocIdRevs),
     Results2 =
@@ -664,7 +668,7 @@ db_doc_req(#httpd{method='GET'}=Req, Db, DocId) ->
 db_doc_req(#httpd{method='POST', user_ctx=Ctx}=Req, Db, DocId) ->
     couch_httpd:validate_referer(Req),
     couch_doc:validate_docid(DocId),
-    couch_httpd:validate_ctype(Req, "multipart/form-data"),
+    chttpd:validate_ctype(Req, "multipart/form-data"),
 
     W = chttpd:qs_value(Req, "w", integer_to_list(mem3:quorum(Db))),
     Options = [{user_ctx,Ctx}, {w,W}],

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_misc.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_misc.erl b/src/chttpd_misc.erl
index 2d058ad..0937baf 100644
--- a/src/chttpd_misc.erl
+++ b/src/chttpd_misc.erl
@@ -140,7 +140,7 @@ handle_task_status_req(Req) ->
     send_method_not_allowed(Req, "GET,HEAD").
 
 handle_replicate_req(#httpd{method='POST', user_ctx=Ctx} = Req) ->
-    couch_httpd:validate_ctype(Req, "application/json"),
+    chttpd:validate_ctype(Req, "application/json"),
     %% see HACK in chttpd.erl about replication
     PostBody = get(post_body),
     try replicate(PostBody, Ctx) of
@@ -216,6 +216,7 @@ choose_node(Key) ->
     choose_node(term_to_binary(Key)).
 
 handle_reload_query_servers_req(#httpd{method='POST'}=Req) ->
+    chttpd:validate_ctype(Req, "application/json"),
     ok = couch_proc_manager:reload(),
     send_json(Req, 200, {[{ok, true}]});
 handle_reload_query_servers_req(Req) ->

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_show.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_show.erl b/src/chttpd_show.erl
index 4254e7a..924221a 100644
--- a/src/chttpd_show.erl
+++ b/src/chttpd_show.erl
@@ -169,6 +169,7 @@ handle_view_list_req(#httpd{method='GET'}=Req, _Db, _DDoc) ->
 
 handle_view_list_req(#httpd{method='POST',
         path_parts=[_, _, DesignName, _, ListName, ViewName]}=Req, Db, DDoc) ->
+    chttpd:validate_ctype(Req, "application/json"),
     ReqBody = chttpd:body(Req),
     {Props2} = ?JSON_DECODE(ReqBody),
     Keys = proplists:get_value(<<"keys">>, Props2, undefined),
@@ -177,6 +178,7 @@ handle_view_list_req(#httpd{method='POST',
 
 handle_view_list_req(#httpd{method='POST',
         path_parts=[_, _, _, _, ListName, DesignName, ViewName]}=Req, Db, DDoc) ->
+    chttpd:validate_ctype(Req, "application/json"),
     ReqBody = chttpd:body(Req),
     {Props2} = ?JSON_DECODE(ReqBody),
     Keys = proplists:get_value(<<"keys">>, Props2, undefined),

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/c903b52e/src/chttpd_view.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_view.erl b/src/chttpd_view.erl
index bb98fec..10b2de9 100644
--- a/src/chttpd_view.erl
+++ b/src/chttpd_view.erl
@@ -70,6 +70,7 @@ handle_view_req(#httpd{method='GET',
 
 handle_view_req(#httpd{method='POST',
         path_parts=[_, _, _, _, ViewName]}=Req, Db, DDoc) ->
+    chttpd:validate_ctype(Req, "application/json"),
     Props = couch_httpd:json_body_obj(Req),
     Keys = couch_mrview_util:get_view_keys(Props),
     Queries = couch_mrview_util:get_view_queries(Props),

[2/2] chttpd commit: updated refs/heads/master to 33f75ea

Posted by rn...@apache.org.

Merge remote-tracking branch 'cloudant/2775-post-valid-json-header'


Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/33f75ea2
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/33f75ea2
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/33f75ea2

Branch: refs/heads/master
Commit: 33f75ea2be4fe3931027e327c7919a8d1ddbf287
Parents: 2fba00d c903b52
Author: Robert Newson <rn...@apache.org>
Authored: Wed Sep 2 16:30:18 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Wed Sep 2 16:30:18 2015 +0100

----------------------------------------------------------------------
 src/chttpd.erl      |  6 +++++-
 src/chttpd_db.erl   | 14 +++++++++-----
 src/chttpd_misc.erl |  3 ++-
 src/chttpd_show.erl |  2 ++
 src/chttpd_view.erl |  1 +
 5 files changed, 19 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd.erl
----------------------------------------------------------------------

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd_db.erl
----------------------------------------------------------------------

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd_misc.erl
----------------------------------------------------------------------

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/33f75ea2/src/chttpd_view.erl
----------------------------------------------------------------------