On Mon, Mar 15, 2010 at 5:15 PM, Chris Anderson <[email protected]> wrote: > On Mon, Mar 15, 2010 at 10:52 AM, Benoit Chesneau <[email protected]> wrote: >> Hi all, >> >> Like discussed on irc, i would propose to add a default vhost option to >> couchdb: >> >> - it solves problem when someone connect to CouchDB whithout an host header >> - it allows someone to not expose whole api of CouchDB using the rewriter. >> > > As long as we are discussing security, we should think about this: > It'd be nice to be able to "sandbox" _design documents to a given > database (the one they are hosted in.) One way to do this is with a > vhost rule that says mydb.mycouch.com may only make requests within > /mydb/ > > How to implement this is a bit tougher. Do we do path-based > restrictions (after all rewrite rules have been applied)? Do we > restrict the rewriter's ability to use ../../.. constructs so that it > must stay within it's own database?
This is needed if you want to have a _replicate handler at app level though. But i don't see the need to restrict on this side, you look in the wrong way. Imo we should restrict external calls not internals. It could be done like i do on couchdbproxy (this version and the one coming). couchdbproxy take all asks from this patch and use it as prefix for all locations. Internally you can still rewrite, but what a use will show is only locations prefixed by somepath/ . > > This stuff is crucial for security, as people will be replicating > around random applications, and we don't want some spyware app to have > access to the database which hosts your financial information. there are other pbs for that and maybe I missed some commit. I think about the possibility to read the users db or maybe i missed a commit. Is there an handler like _security to create a user ?
