[ https://issues.apache.org/jira/browse/COUCHDB-759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12985296#action_12985296 ]
Martin Hilbig commented on COUCHDB-759: --------------------------------------- hi, i would like to see this bug reopend, since the rewriter jail can be easily broken when there is a rewrite rule with an *. consider this one: { "from": "/doc/*", "to": "/../../*", "method": "GET" } this rewrite rule provides cross-db access like these (even behind a vhost): http://vhost.localhost:5984/doc/../../../../../otherdb/docid http://vhost.localhost:5984/doc/../../../../../_all_dbs so i propose that either rewrite rules with an asterix in them should be considered insecure (and therefore catched by secure_rewrites option) or (even better) couchdb should forbid requests with to many .. in them. have fun > rewriter should be securely jailed in a single database by default > ------------------------------------------------------------------ > > Key: COUCHDB-759 > URL: https://issues.apache.org/jira/browse/COUCHDB-759 > Project: CouchDB > Issue Type: Bug > Reporter: Chris Anderson > > This will allow us to isolate databases using vhosts and the browser's > single-origin policy. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.