New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Illegal DB creation permitted #1644

Closed
flimzy opened this Issue Oct 7, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@flimzy
Member

flimzy commented Oct 7, 2018

Reported/asked about here: https://stackoverflow.com/q/52636973/13860

Expected Behavior

Creating a database called !abcdef/_users should fail, due to invalid DB name.

Current Behavior

DB creation succeeds:

curl -v -X PUT http://admin:abc123@localhost:6004/\!abcdef%2F_users
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 6004 (#0)
* Server auth using Basic with user 'admin'
> PUT /!abcdef%2F_users HTTP/1.1
> Host: localhost:6004
> Authorization: Basic YWRtaW46YWJjMTIz
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 201 Created
< Cache-Control: must-revalidate
< Content-Length: 12
< Content-Type: application/json
< Date: Sun, 07 Oct 2018 11:21:46 GMT
< Location: http://localhost:6004/%21abcdef%2F_users
< Server: CouchDB/2.2.0 (Erlang OTP/19)
< X-Couch-Request-ID: 8d5c83b3a4
< X-CouchDB-Body-Time: 0
< 
{"ok":true}
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact

Possible Solution

Seems likely that the "special case" for _users is just too permissive, such as a regex not bound to the beginning of the string, or a similar error.

Steps to Reproduce (for bugs)

See curl command above.

Your Environment

  • Version used: CouchDB 2.2.0 via official Docker image
  • Browser Name and version: curl 7.52.1
  • Operating System and version (desktop or mobile): Debian 9.5
@iilyak

This comment has been minimized.

Contributor

iilyak commented Oct 8, 2018

The problem is here. We only match the suffix of the database and don't check validity of the prefix.

iilyak added a commit to cloudant/couchdb that referenced this issue Oct 8, 2018

Validate database prefix against DBNAME_REGEX for system dbs
Previously we only checked that the suffix of the database is
matching one of the predefined system databases. We really should
check the prefix against DBNAME_REGEXP to prevent creation of
illegaly named databases.

This fixes apache#1644

iilyak added a commit to cloudant/couchdb that referenced this issue Oct 8, 2018

Validate database prefix against DBNAME_REGEX for system dbs
Previously we only checked that the suffix of the database is
matching one of the predefined system databases. We really should
check the prefix against DBNAME_REGEXP to prevent creation of
illegally named databases.

This fixes apache#1644

iilyak added a commit to cloudant/couchdb that referenced this issue Oct 8, 2018

Validate database prefix against DBNAME_REGEX for system dbs
Previously we only checked that the suffix of the database is
matching one of the predefined system databases. We really should
check the prefix against DBNAME_REGEXP to prevent creation of
illegally named databases.

This fixes apache#1644

iilyak added a commit to cloudant/couchdb that referenced this issue Oct 8, 2018

Validate database prefix against DBNAME_REGEX for system dbs
Previously we only checked that the suffix of the database is
matching one of the predefined system databases. We really should
check the prefix against DBNAME_REGEXP to prevent creation of
illegally named databases.

This fixes apache#1644

iilyak added a commit to cloudant/couchdb that referenced this issue Oct 8, 2018

Validate database prefix against DBNAME_REGEX for system dbs
Previously we only checked that the suffix of the database is
matching one of the predefined system databases. We really should
check the prefix against DBNAME_REGEXP to prevent creation of
illegally named databases.

This fixes apache#1644

iilyak added a commit to cloudant/couchdb that referenced this issue Oct 10, 2018

Validate database prefix against DBNAME_REGEX for system dbs
Previously we only checked that the suffix of the database is
matching one of the predefined system databases. We really should
check the prefix against DBNAME_REGEXP to prevent creation of
illegally named databases.

This fixes apache#1644

@iilyak iilyak closed this in #1647 Oct 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment