[
https://issues.apache.org/jira/browse/COUCHDB-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15754432#comment-15754432
]
ASF GitHub Bot commented on COUCHDB-3257:
-----------------------------------------
GitHub user robertkowalski opened a pull request:
https://github.com/apache/couchdb-fauxton/pull/824
Replication: hotfix url parsing for invalid urls
See COUCHDB-3257: sometimes the replicator returns invalid urls
which are not encoded. This makes standard conforming url parsers
choke.
This catches the exception, with the tradeoff of displaying the
password in the cases where the url is invalid.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/robertkowalski/couchdb-fauxton
fix-url-replicator
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/couchdb-fauxton/pull/824.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #824
----
commit f3739e11e782dba9bae1d239461262ad8f603e2f
Author: Robert Kowalski <[email protected]>
Date: 2016-12-16T13:27:35Z
Replication: hotfix url parsing for invalid urls
See COUCHDB-3257: sometimes the replicator returns invalid urls
which are not encoded. This makes standard conforming url parsers
choke.
This catches the exception, with the tradeoff of displaying the
password in the cases where the url is invalid.
----
> Replicator accepts and then returns invalid urls
> ------------------------------------------------
>
> Key: COUCHDB-3257
> URL: https://issues.apache.org/jira/browse/COUCHDB-3257
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core, Replication
> Reporter: Robert Kowalski
>
> We have an issue that manifests for us in Fauxton but will manifest in any
> other web browser / url parser.
> The replicator accepts invalid urls. This means it will also return invalid
> urls on request. These url make standard-conforming url parsers bail. Example:
> https://rocko:pass#[email protected]/blerg is not valid url syntax. The hash
> has to be encoded.
> Discussion from #whatwg:
> {code}
> 12:17:03 < robertkowalski> annevk: question to the url spec
> 12:17:16 < robertkowalski> before i open an issue / invetsigate further
> 12:18:11 < robertkowalski> new
> URL('https://rocko:pass#[email protected]/blerg')
> 12:18:16 -!-frivoal [~frivoal@2400:2650:86c0:a500:6c4e:56ad:30ff:8140] has
> joined #whatwg
> 12:18:18 < robertkowalski> throws because of the hash
> 12:19:29 < robertkowalski> i haven't found a section regarding passwords and
> special / reserved chars. is this a bug in the spec? it limits the amount
> possible passwords a lot
> 12:20:06 < nox> robertkowalski: It should be encoded.
> 12:20:23 < annevk> Yeah, you can encode it
> 12:21:16 < annevk> robertkowalski: the specification basically doesn't want
> you to use URLs to encode username/password
> 12:21:29 < annevk> robertkowalski: https://url.spec.whatwg.org/#url-syntax
> doesn't allow them
> 12:21:46 < annevk> robertkowalski: (see note at the end of that section)
> 12:22:39 < annevk> robertkowalski: the reason that throws though I think is
> because # is seen as the start of the path and then a host cannot contain :
> 12:22:43 -!-frivoal [~frivoal@2400:2650:86c0:a500:6c4e:56ad:30ff:8140] has
> quit [Ping timeout: 258 seconds]
> 12:22:51 < annevk> robertkowalski: well, because :pass is not a valid port
> 12:23:54 < annevk> robertkowalski: for that, see how
> https://url.spec.whatwg.org/#authority-state and also the host state will
> treat # as the end of that
> 12:24:25 < annevk> robertkowalski: and
> https://url.spec.whatwg.org/#port-state for how port will return failure for
> non-digits
> 12:27:16 < robertkowalski> thank you
> 12:27:46 < robertkowalski> the replciator in couchdb accepts urls with hash
> as part of the password
> 12:27:57 < robertkowalski> and when we pull them out and want to use them in
> the browser
> 12:27:59 < robertkowalski> it explodes
> 12:30:14 < nox> robertkowalski: new
> URL('https://rocko:pass%[email protected]/blerg')
> 12:31:18 < robertkowalski> ty nox - we run into a chicken egg problem here.
> as we use `new URL` to parse the URL ^^
> 12:31:31 < robertkowalski> so we probably have to fix that in the couch api,
> not in the frontend
> 12:36:15 < annevk> robertkowalski: yeah, it sounds like the Couch DB API
> parses URLs differently from browsers
> 12:36:43 < annevk> robertkowalski: that will cause subtle bugs
> {code}
> Proposal:
> - Reject invalid urls and add a automatic migration strategy for invalid
> urls in the replicator
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
