Could you give some detail what you mean by a new couchapp engine. Regards, Olafur Arason
On Wed, May 4, 2011 at 06:11, Benoit Chesneau <[email protected]> wrote: > On Tue, May 3, 2011 at 10:00 AM, Martin Hilbig <[email protected]> wrote: >> hi, >> >> i want to program and rent couchapps. i want couchdb/bigcouch to be my db, >> app and webserver. >> >> i dont want a middlelayer like a(n) (apache) proxy, just to filter out >> clients which try cheating by using no Host header or ../../../ url >> trickery. >> >> can this be accomplished already? sadly i didnt find anything and i remember >> @janl telling me that vhosts and rewrites arent meant to be security >> features. why is that so? >> >> my naive thoughts of a secure vhost handling which makes proxies obsolete: >> >> * the vhost handler should redirect clients with no Host header to a >> "default" vhost or send a 403/404. > > You can't do that, it would remove the ability to access to couchdb > until vhosts are on the same port or couch db api prefixed. You can > however change the way welcome works, there is a patch in jira for > that. > >> >> * requests containing (to many) .. or starting with _ in the resource should >> also get redirected/404/403ed too. >> >> what other requests can you think of to circumvent the vhost >> handler/rewriter? > > To sandbox couchapps ypu may ned more works, to filter db access & co. > >> >> are the 2 points above already possible today? please redirect me to docs. >> >> where should i start hacking, when i want to implent them myself? > > hacking couch_httpd_vhosts.erl or you can change the redirect function > to adapt it to your own use: > > %% [httpd] > %% redirect_vhost_handler = {Module, Fun} > %% > %% The function take 2 args : the mochiweb request object and the target > %%% path. > >> >> is anyone willing to implement them for me (or see how far she gets) in 10h >> = 100eurs? yea this means i want those points so hard i would throw in 10h >> hours or 100eurs or 100$ to get someone (at least) started on them. is this >> okay or inappropriate here or is there a better place for couchdb job offers >> (maybe the user@ list)? >> >> have fun >> martin >> >> > > 10$/h isn't so much :) I'm working on a new couchapp engine, that will > be probably released this monthand rework the way vhosts are work. In > the the mean time don't hesitate to play with the code :) > > - benoît >
