Repository: couchdb-couch Updated Branches: refs/heads/master 4d5dd10bc -> a431e6571
check POST requests for valid json header validate that all POST requests with json body must have also have valid json header: {"Content-Type": "application/json"} This ensures a basic protection against CSRF JIRA: COUCHDB-2775 Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/c7708e9f Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/c7708e9f Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/c7708e9f Branch: refs/heads/master Commit: c7708e9f064e5481d0aadc9c1f0760b0ea7a092e Parents: 0fdc50b Author: Mayya Sharipova <may...@ca.ibm.com> Authored: Wed Sep 2 13:33:29 2015 -0400 Committer: Mayya Sharipova <may...@ca.ibm.com> Committed: Wed Sep 2 15:52:23 2015 -0400 ---------------------------------------------------------------------- src/couch_changes.erl | 1 + src/couch_httpd_db.erl | 2 ++ src/couch_httpd_misc_handlers.erl | 2 ++ 3 files changed, 5 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_changes.erl ---------------------------------------------------------------------- diff --git a/src/couch_changes.erl b/src/couch_changes.erl index 9a1d406..7547aef 100644 --- a/src/couch_changes.erl +++ b/src/couch_changes.erl @@ -310,6 +310,7 @@ get_view_qs(Req) -> get_doc_ids({json_req, {Props}}) -> check_docids(couch_util:get_value(<<"doc_ids">>, Props)); get_doc_ids(#httpd{method='POST'}=Req) -> + couch_httpd:validate_ctype(Req, "application/json"), {Props} = couch_httpd:json_body_obj(Req), check_docids(couch_util:get_value(<<"doc_ids">>, Props)); get_doc_ids(#httpd{method='GET'}=Req) -> http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_db.erl ---------------------------------------------------------------------- diff --git a/src/couch_httpd_db.erl b/src/couch_httpd_db.erl index 4337f41..f2a5c14 100644 --- a/src/couch_httpd_db.erl +++ b/src/couch_httpd_db.erl @@ -381,6 +381,7 @@ db_req(#httpd{path_parts=[_,<<"_purge">>]}=Req, _Db) -> send_method_not_allowed(Req, "POST"); db_req(#httpd{method='POST',path_parts=[_,<<"_missing_revs">>]}=Req, Db) -> + couch_httpd:validate_ctype(Req, "application/json"), {JsonDocIdRevs} = couch_httpd:json_body_obj(Req), JsonDocIdRevs2 = [{Id, [couch_doc:parse_rev(RevStr) || RevStr <- RevStrs]} || {Id, RevStrs} <- JsonDocIdRevs], {ok, Results} = couch_db:get_missing_revs(Db, JsonDocIdRevs2), @@ -393,6 +394,7 @@ db_req(#httpd{path_parts=[_,<<"_missing_revs">>]}=Req, _Db) -> send_method_not_allowed(Req, "POST"); db_req(#httpd{method='POST',path_parts=[_,<<"_revs_diff">>]}=Req, Db) -> + couch_httpd:validate_ctype(Req, "application/json"), {JsonDocIdRevs} = couch_httpd:json_body_obj(Req), JsonDocIdRevs2 = [{Id, couch_doc:parse_revs(RevStrs)} || {Id, RevStrs} <- JsonDocIdRevs], http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_misc_handlers.erl ---------------------------------------------------------------------- diff --git a/src/couch_httpd_misc_handlers.erl b/src/couch_httpd_misc_handlers.erl index f6b8a4e..10d6d9e 100644 --- a/src/couch_httpd_misc_handlers.erl +++ b/src/couch_httpd_misc_handlers.erl @@ -185,6 +185,8 @@ handle_config_req(#httpd{method='GET', path_parts=[_, Section, Key]}=Req) -> end; % POST /_config/_reload - Flushes unpersisted config values from RAM handle_config_req(#httpd{method='POST', path_parts=[_, <<"_reload">>]}=Req) -> + couch_httpd:validate_ctype(Req, "application/json"), + _ = couch_httpd:body(Req), ok = couch_httpd:verify_is_server_admin(Req), ok = config:reload(), send_json(Req, 200, {[{ok, true}]});