[Pkg-erlang-devel] Bug#570013: Bug#570013: RESTful interface for browser Javascript is insecure
Sam Bisbee
sbisbee at computervip.com
Tue Feb 16 22:58:45 UTC 2010
Hello Florian,
On Mon, Feb 15, 2010 at 09:44:07PM +0100, Florian Weimer wrote:
> Package: couchdb
> Version: 0.10.0-1
> Tags: upstream important
>
> You cannot use a RESTful interface from a browser because it is open
> to CSRF attacks. Using an HttpOnly cookie is not sufficient because
> some of our browsers do not support HttpOnly.
I'm not sure I understand what you're referring to here. It seems like you're
worried that Futon will send some sort of malicious attack to a Futon user. In
my opinion that is as likely as a malicious attack coming from an Apache httpd
server - it depends on what the user is doing or sending, not the server
itself.
> Furthermore, couchdb serves back Javascript contained in database
> attachment back to the browser for execution, offering yet another
> attack vector which also affects browsers with HttpOnly support.
What Javascript are you referring to? Map/Reduce functions are run server side,
not on the client. If you are worried about users uploading malicious scripts
to a document that would run in someone's browser (which I think is your main
point from your mailing list post), then I don't think there's anything that
couchdb can do to stop that out of the box. The onus is on your application to
filter your data, just like it is with MySQL or any other database I can think
of (though you could do this filtering in couchdb with a validation function).
[snip]
> But lenny is exposed in a rather different way; it does not seem to
> offer any authentication at all.
Authentication has been in development for couchdb for quite some time, being
applied in different stages over the releases. Feel free to check out the
copious amounts of documentation about authentication and couchdb on upstream's
mailing list, wiki, etc.
Cheers,
--
Sam Bisbee
More information about the Pkg-erlang-devel
mailing list