[jira] Commented: (COUCHDB-558) Validate Content-MD5 request headers on uploads

Sat, 14 Nov 2009 16:43:29 -0800 

    [ 
https://issues.apache.org/jira/browse/COUCHDB-558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12778031#action_12778031
 ] 

Paul Joseph Davis commented on COUCHDB-558:
-------------------------------------------

Filipe,

Overall it looks pretty good, but a couple points:

* We should probably be checking the Content-MD5 before we process the request.
* check_integrity should probably throw an error or return the body
* You should still be recording stats even when validation fails
* There are alot of variable assignments where they aren't necessary.
* keep lines less than 80 characters
* The perl in the JS test is ungood. Either paste it here, or better, use an 
Erlang test to check.
* really_long_function_names_are_hard_to_read - The functions for trailers 
could be made more generic.
* The check for Content-MD5 appears to be case sensitive
* get_has_from_trailer is weird... oh its an rstrip. There's probably a better 
way to do that. Try referencing how Mochiweb parses its headers.

I think the idea is pretty solid. The only thing I'm a bit concerned about is 
the trailier parsing. The current bits are a bit awkard. In a perfect world id 
prefer to see that as a patch to mochiweb, but having it in CouchDB is fine if 
they rejected that patch or during the time it takes to get into upstream.

Also, if you take the approach of having your hash matching function just throw 
an error that will get caught by the try/catch around the HandleReq() call, it 
should simplify a whole lot of this.

If none of that makes any sense let me know and I'll refactor the patch locally 
to try and explain things more concretely.

> Validate Content-MD5 request headers on uploads
> -----------------------------------------------
>
>                 Key: COUCHDB-558
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-558
>             Project: CouchDB
>          Issue Type: Improvement
>          Components: Database Core, HTTP Interface
>            Reporter: Adam Kocoloski
>             Fix For: 0.11
>
>         Attachments: jira-couchdb-558-for-trunk-2nd-try.patch, 
> jira-couchdb-558-for-trunk.patch
>
>
> We could detect in-flight data corruption if a client sends a Content-MD5 
> header along with the data and Couch validates the MD5 on arrival.
> RFC1864 - The Content-MD5 Header Field
> http://www.faqs.org/rfcs/rfc1864.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to