Repository: couchdb-couch
Updated Branches:
refs/heads/master 4d5dd10bc -> a431e6571
check POST requests for valid json header
validate that all POST requests with json body must have also have valid
json header: {"Content-Type": "application/json"}
This ensures a basic protection against CSRF
JIRA: COUCHDB-2775
Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/c7708e9f
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/c7708e9f
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/c7708e9f
Branch: refs/heads/master
Commit: c7708e9f064e5481d0aadc9c1f0760b0ea7a092e
Parents: 0fdc50b
Author: Mayya Sharipova <may...@ca.ibm.com>
Authored: Wed Sep 2 13:33:29 2015 -0400
Committer: Mayya Sharipova <may...@ca.ibm.com>
Committed: Wed Sep 2 15:52:23 2015 -0400
----------------------------------------------------------------------
src/couch_changes.erl | 1 +
src/couch_httpd_db.erl | 2 ++
src/couch_httpd_misc_handlers.erl | 2 ++
3 files changed, 5 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_changes.erl
----------------------------------------------------------------------
diff --git a/src/couch_changes.erl b/src/couch_changes.erl
index 9a1d406..7547aef 100644
--- a/src/couch_changes.erl
+++ b/src/couch_changes.erl
@@ -310,6 +310,7 @@ get_view_qs(Req) ->
get_doc_ids({json_req, {Props}}) ->
check_docids(couch_util:get_value(<<"doc_ids">>, Props));
get_doc_ids(#httpd{method='POST'}=Req) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
{Props} = couch_httpd:json_body_obj(Req),
check_docids(couch_util:get_value(<<"doc_ids">>, Props));
get_doc_ids(#httpd{method='GET'}=Req) ->
http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_db.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_db.erl b/src/couch_httpd_db.erl
index 4337f41..f2a5c14 100644
--- a/src/couch_httpd_db.erl
+++ b/src/couch_httpd_db.erl
@@ -381,6 +381,7 @@ db_req(#httpd{path_parts=[_,<<"_purge">>]}=Req, _Db) ->
send_method_not_allowed(Req, "POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_missing_revs">>]}=Req, Db) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
{JsonDocIdRevs} = couch_httpd:json_body_obj(Req),
JsonDocIdRevs2 = [{Id, [couch_doc:parse_rev(RevStr) || RevStr <- RevStrs]}
|| {Id, RevStrs} <- JsonDocIdRevs],
{ok, Results} = couch_db:get_missing_revs(Db, JsonDocIdRevs2),
@@ -393,6 +394,7 @@ db_req(#httpd{path_parts=[_,<<"_missing_revs">>]}=Req, _Db)
->
send_method_not_allowed(Req, "POST");
db_req(#httpd{method='POST',path_parts=[_,<<"_revs_diff">>]}=Req, Db) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
{JsonDocIdRevs} = couch_httpd:json_body_obj(Req),
JsonDocIdRevs2 =
[{Id, couch_doc:parse_revs(RevStrs)} || {Id, RevStrs} <-
JsonDocIdRevs],
http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/c7708e9f/src/couch_httpd_misc_handlers.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_misc_handlers.erl
b/src/couch_httpd_misc_handlers.erl
index f6b8a4e..10d6d9e 100644
--- a/src/couch_httpd_misc_handlers.erl
+++ b/src/couch_httpd_misc_handlers.erl
@@ -185,6 +185,8 @@ handle_config_req(#httpd{method='GET', path_parts=[_,
Section, Key]}=Req) ->
end;
% POST /_config/_reload - Flushes unpersisted config values from RAM
handle_config_req(#httpd{method='POST', path_parts=[_, <<"_reload">>]}=Req) ->
+ couch_httpd:validate_ctype(Req, "application/json"),
+ _ = couch_httpd:body(Req),
ok = couch_httpd:verify_is_server_admin(Req),
ok = config:reload(),
send_json(Req, 200, {[{ok, true}]});
