[jira] Updated: (COUCHDB-815) Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]

Sun, 04 Jul 2010 22:43:50 -0700 

     [ 
https://issues.apache.org/jira/browse/COUCHDB-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jason Smith updated COUCHDB-815:
--------------------------------

    Attachment: bad_allow_any_http_method.patch

This patch provides a good unit test. Its solution is wrong but instructive.

The simplest way to pass the test is to use to_atom instead of 
to_existing_atom. Unfortunately, this allows a denial of service. A buggy 
client or DOS attacker could hit the server with random HTTP methods and fill 
up the atom table, presumably leaking memory and probably crashing the VM when 
the OS kills it.

So, how can handle_request_int allow any HTTP method (at least if it is 
destined for _show, _list, _update) without creating an atom per method?

> Non-standard HTTP methods for view handlers (AKA WebDAV is b0rken) [PATCH]
> --------------------------------------------------------------------------
>
>                 Key: COUCHDB-815
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-815
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Database Core
>    Affects Versions: 1.0
>            Reporter: Jason Smith
>            Priority: Minor
>         Attachments: bad_allow_any_http_method.patch
>
>
> CouchDB prevents the new view server handler methods, _show, _update, etc. 
> from handling unknown HTTP methods. This prevents Couch apps from being able 
> to implement extensions to the HTTP specification or to add 
> application-specific methods to HTTP, violating the spirit of _show and 
> _update.
> For example, it is not possible to make a CouchApp WebDAV server because 
> _show and _list must support the PROPFIND method.
> In couch_httpd:handle_request_int/5, the response from Mochi is coerced to an 
> atom if and only if the atom already exists (using 
> couch_util:to_existing_atom/1). That is an odd whitelist, to say the least:
>     $ curl localhost:5984 -X PROPFIND # Crashes mochiweb when 
> to_existing_atom throws badarg
>     curl: (52) Empty reply from server
>     $ curl localhost:5984 -X list_to_binary # Any atom works
>     {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"}
> Considering the cURL commands above, I filed this as a bug, not a feature. I 
> will explore some options and submit patches.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to