Doesn't this allow malicious user agents to craft spoofed log entries for CouchDB? You could make it look like something very serious was happening, causing the CouchDB admin to take measures that harm the server or the data it contains. If we're going to do this at all (and I am not sure I see a valid use case here) then the message should be prefixed with a big fat notice that it's user generated.
On Sun, Oct 30, 2011 at 4:39 PM, <[email protected]> wrote: > Updated Branches: > refs/heads/master f94530da9 -> 6cffccdfe > > > Allow POST to _log. > > POST /_log {"level":"info|debug|error", "message":"your message here"} > > Patch by Robert Newson. > > Closes COUCHDB-464 > > > Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo > Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/6cffccdf > Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/6cffccdf > Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/6cffccdf > > Branch: refs/heads/master > Commit: 6cffccdfe08e6d859cc7e83be3bcc521bf68fd5a > Parents: f94530d > Author: Jan Lehnardt <[email protected]> > Authored: Sun Oct 30 17:38:18 2011 +0100 > Committer: Jan Lehnardt <[email protected]> > Committed: Sun Oct 30 17:38:18 2011 +0100 > > ---------------------------------------------------------------------- > src/couchdb/couch_httpd_misc_handlers.erl | 21 ++++++++++++++++++--- > 1 files changed, 18 insertions(+), 3 deletions(-) > ---------------------------------------------------------------------- > > > > http://git-wip-us.apache.org/repos/asf/couchdb/blob/6cffccdf/src/couchdb/couch_httpd_misc_handlers.erl > ---------------------------------------------------------------------- > diff --git a/src/couchdb/couch_httpd_misc_handlers.erl > b/src/couchdb/couch_httpd_misc_handlers.erl > index 8abf0aa..ae6ffe3 100644 > --- a/src/couchdb/couch_httpd_misc_handlers.erl > +++ b/src/couchdb/couch_httpd_misc_handlers.erl > @@ -254,7 +254,22 @@ handle_log_req(#httpd{method='GET'}=Req) -> > ]), > send_chunk(Resp, Chunk), > last_chunk(Resp); > +handle_log_req(#httpd{method='POST'}=Req) -> > + {PostBody} = couch_httpd:json_body_obj(Req), > + Level = couch_util:get_value(<<"level">>, PostBody), > + Message = ?b2l(couch_util:get_value(<<"message">>, PostBody)), > + case Level of > + <<"debug">> -> > + ?LOG_DEBUG(Message, []), > + send_json(Req, 200, {[{ok, true}]}); > + <<"info">> -> > + ?LOG_INFO(Message, []), > + send_json(Req, 200, {[{ok, true}]}); > + <<"error">> -> > + ?LOG_ERROR(Message, []), > + send_json(Req, 200, {[{ok, true}]}); > + _ -> > + send_json(Req, 400, {[{error, ?l2b(io_lib:format("Unrecognized > log level '~s'", [Level]))}]}) > + end; > handle_log_req(Req) -> > - send_method_not_allowed(Req, "GET"). > - > - > + send_method_not_allowed(Req, "GET,POST"). > >
