Username isn't escaped on account creation #275

brianewing opened this Issue Jan 18, 2012 · 4 comments

2 participants


When creating a new user, the username isn't escaped (see line 174, user.js).

As such, one could send a request to the API with the username eg. "; sudo rm -Rf --no-preserve-root /; echo " and run commands as root on the server.


The username is validated during registration. Those commands are only run if the username is in the database which would require registration so at NO POINT would this work. Let me remind you once again that the V1 branch is frozen and all work is being done on V2.

@contra contra closed this Jan 18, 2012

Scumbag Contra:

Berates someone for reporting a vulnerability saying "it's validated during registration... at NO POINT would this work".
Silently fixes in a commit, leaving OP looking like a dumbass.



+1, you were right. I assumed we had something to prevent this within our couchdb setup but we don't. I didn't write any of this code, excuse me for not knowing it like the back of my hand.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment