On 3 May 2011, at 01:00, Martin Hilbig wrote: > hi, > > i want to program and rent couchapps. i want couchdb/bigcouch to be my db, > app and webserver. > > i dont want a middlelayer like a(n) (apache) proxy, just to filter out > clients which try cheating by using no Host header or ../../../ url trickery. > > can this be accomplished already? sadly i didnt find anything and i remember > @janl telling me that vhosts and rewrites arent meant to be security > features. why is that so?
This is by design, we didn't spend much time vetting these features for security, hence we don't recommend them for security purposes. > my naive thoughts of a secure vhost handling which makes proxies obsolete: > > * the vhost handler should redirect clients with no Host header to a > "default" vhost or send a 403/404. > > * requests containing (to many) .. or starting with _ in the resource should > also get redirected/404/403ed too. That sounds like a plan. I don't think the ../ are critical as long as you are in a confined vhost, but I may be wrong. > what other requests can you think of to circumvent the vhost handler/rewriter? > > are the 2 points above already possible today? please redirect me to docs. No. > where should i start hacking, when i want to implent them myself? src/couchdb/couch_httpd_vhost.erl > is anyone willing to implement them for me (or see how far she gets) in 10h = > 100eurs? yea this means i want those points so hard i would throw in 10h > hours or 100eurs or 100$ to get someone (at least) started on them. is this > okay or inappropriate here or is there a better place for couchdb job offers > (maybe the user@ list)? 10$/€ per hour probably won't get you many replies :) Cheers Jan --
