[GitHub] couchdb-nano issue #21: weird headers getting passed through

[carlosduclos <gi...@git.apache.org>]

GitHub user carlosduclos opened an issue:

    https://github.com/apache/couchdb-nano/issues/21

    weird headers getting passed through

    [Original issue](https://github.com/dscape/nano/issues/311)
    
    __mandric__
    There are two headers, uri and statusCode which are not valid http that are being returned from the httpAgent code see lib/nano.js line 195. This could lead to some sensitive information being leaked to the client if you're just passing headers through from CouchDB. Let me know if you think this is a real problem, I'd be happy to try to come up with a valid patch.
    
    Here's an example:
    ```shell
    $ curl -I http://localhost:3333
    HTTP/1.1 200 OK
    X-Powered-By: Express
    etag: "2-8f443270fec4fb34bbc4ebca93a565d3"
    date: Tue, 09 Feb 2016 05:24:29 GMT
    Content-Type: application/json; charset=utf-8
    cache-control: must-revalidate
    statusCode: 200
    uri: http://admin:secret@localhost:5984/test/foo
    Content-Length: 713
    Connection: keep-alive
    ```
    
    ```javascript
    var express = require('express'), 
        db = require('nano')('http://admin:secret@localhost:5984/test'), 
        app = module.exports = express();
    
    app.get('/', function(request,response) {
      db.get('foo', function (error, body, headers) {
        for (var k in headers) {
          response.header(k, headers[k]);
        }
        if (error) {
          return response.status(error.statusCode).send(error.reason);
        }
        response.send(body, 200);
      });
    });
    app.listen(3333);
    ```

----

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---