Repository: couchdb Updated Branches: refs/heads/master a84fcb2d9 -> dda4a5f22
Remove new CSRF mechanism Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/dda4a5f2 Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/dda4a5f2 Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/dda4a5f2 Branch: refs/heads/master Commit: dda4a5f220fa5d3c705b784c9bb1f1dbe776d724 Parents: a84fcb2 Author: Robert Newson <rnew...@apache.org> Authored: Thu Sep 10 12:26:29 2015 +0100 Committer: Robert Newson <rnew...@apache.org> Committed: Thu Sep 10 14:00:46 2015 +0100 ---------------------------------------------------------------------- dev/run | 7 +--- test/javascript/tests/csrf.js | 84 -------------------------------------- 2 files changed, 2 insertions(+), 89 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/dda4a5f2/dev/run ---------------------------------------------------------------------- diff --git a/dev/run b/dev/run index e519fa6..06c96be 100755 --- a/dev/run +++ b/dev/run @@ -30,7 +30,6 @@ import uuid from pbkdf2 import pbkdf2_hex COMMON_SALT = uuid.uuid4().hex -COMMON_CSRF_SECRET = uuid.uuid4().hex try: from urllib import urlopen @@ -259,11 +258,9 @@ def hack_local_ini(ctx, contents): previous_line = "; require_valid_user = false\n" contents = contents.replace(previous_line, previous_line + secret_line) - csrf_secret = '\n\n[csrf]\nsecret = %s\n' % COMMON_CSRF_SECRET - if ctx['with_admin_party']: ctx['admin'] = ('Admin Party!', 'You do not need any password.') - return contents + csrf_secret + return contents # handle admin credentials passed from cli or generate own one if ctx['admin'] is None: @@ -271,7 +268,7 @@ def hack_local_ini(ctx, contents): else: user, pswd = ctx['admin'] - return contents + "\n%s = %s" % (user, hashify(pswd)) + csrf_secret + return contents + "\n%s = %s" % (user, hashify(pswd)) def gen_password(): http://git-wip-us.apache.org/repos/asf/couchdb/blob/dda4a5f2/test/javascript/tests/csrf.js ---------------------------------------------------------------------- diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js deleted file mode 100644 index e16e78b..0000000 --- a/test/javascript/tests/csrf.js +++ /dev/null @@ -1,84 +0,0 @@ -// Licensed under the Apache License, Version 2.0 (the "License"); you may not -// use this file except in compliance with the License. You may obtain a copy of -// the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -// License for the specific language governing permissions and limitations under -// the License. - -couchTests.csrf = function(debug) { - var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"}); - db.deleteDb(); - db.createDb(); - - if (debug) debugger; - - // Handy function to cause CouchDB to delete the CSRF cookie - var deleteCsrf = function() { - var xhr = CouchDB.request("POST", "/_session", { - body: 'name=foo&password=bar', - headers: {'X-CouchDB-CSRF': 'foo', - 'Content-Type': 'application/x-www-form-urlencoded', - 'Cookie': 'CouchDB-CSRF=foo'}}); - TEquals(403, xhr.status); - }; - - var testFun = function () { - // Shouldn't receive header if we didn't ask for it - var xhr = CouchDB.request("GET", "/"); - TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF"); - TEquals(200, xhr.status); - - // Matching but invalid cookie/header should 403 - xhr = CouchDB.request("POST", "/_session", { - body: 'name=foo&password=bar', - headers: {'X-CouchDB-CSRF': 'foo', - 'Content-Type': 'application/x-www-form-urlencoded', - 'Cookie': 'CouchDB-CSRF=foo'}}); - TEquals(403, xhr.status); - TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header"); - - // Can I acquire a CouchDB-CSRF cookie? - xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'true'}}); - var cookie = xhr.getResponseHeader("Set-Cookie").match('^CouchDB-CSRF=([^;]+)'); - T(cookie, "Should receive cookie"); - - // If I have a cookie, do I get a 403 if I don't send the header? - xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar', - headers: {'Content-Type': - 'application/x-www-form-urlencoded'}}); - TEquals(403, xhr.status); - TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header"); - - // If I have a cookie, do I get a 200 if I send a matching header? - xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar', - headers: {"X-CouchDB-CSRF": cookie[1], - 'Content-Type': 'application/x-www-form-urlencoded'}}); - TEquals(200, xhr.status); - TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this"); - - // How about the wrong header? - xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar', - headers: {'X-CouchDB-CSRF': 'foo', - 'Content-Type': 'application/x-www-form-urlencoded'}}); - TEquals(403, xhr.status); - TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header"); - - deleteCsrf(); - }; - - run_on_modified_server( - [ - {section: "couch_httpd_auth", - key: "iterations", value: "1"}, - {section: "admins", - key: "foo", value: "bar"} - ], - testFun - ); - -};