[
https://issues.apache.org/jira/browse/COUCHDB-1314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Filipe Manana closed COUCHDB-1314.
----------------------------------
Resolution: Fixed
Fix Version/s: 1.2
This issue is fixed by the recently committed security changes.
Consult the following wiki pages:
http://wiki.apache.org/couchdb/Security_Features_Overview
http://wiki.apache.org/couchdb/Breaking_changes
> Couchdb _replicator documents should not show passwords in clear text
> ---------------------------------------------------------------------
>
> Key: COUCHDB-1314
> URL: https://issues.apache.org/jira/browse/COUCHDB-1314
> Project: CouchDB
> Issue Type: Improvement
> Components: Replication
> Affects Versions: 1.1
> Reporter: Dario Freire
> Priority: Critical
> Labels: replication, replicator, security
> Fix For: 1.2
>
>
> The documents stored in the _replicator database show passwords in clear text.
> Imagine a scenario where a developer provides a couchdb app that runs in a
> central location and must synchronize with user's local couchdb instances.
> The users would need to pull updates to their database by adding a document
> to _replicator:
> {
> "_id": "great-app",
> "source": "http://great-app-provider.com:5984/great-app";,
> "target": "my-great-app",
> "create_target": true
> }
> Now if the developer doesn't want his central couchdb instance to be public,
> he needs to protect it by creating an admin party.
> The problem is that he cannot longer share his database for replication
> because doing so would reveal the admin credentials to the app users.
> i.e. in order for the synchronization to work the users would need to update
> their _replicator documents to:
> {
> "_id": "great-app",
> "source": "http://admin:[email protected]:5984/great-app";,
> "target": "my-great-app",
> "create_target": true
> }
> All in plain text.
> Thus, the users would know how to access the restricted central couchdb
> instance.
> This is just a possible scenario where showing credentials in plain text is a
> problem, but by no means is the only scenario where it is a problem.
> Since one of the "selling points" of couchdb is its outstanding ability to
> synchronize databases, the security concerns caused by this issue make it
> impossible to use in practice.
> Because of this, it looks like an improvement on this matter is of critical
> importance.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
