Nathan Vander Wilt created COUCHDB-1607:
-------------------------------------------
Summary: cookie_authentication_handler does not properly handle
AuthSession signatures starting with ":" character(s)
Key: COUCHDB-1607
URL: https://issues.apache.org/jira/browse/COUCHDB-1607
Project: CouchDB
Issue Type: Bug
Affects Versions: 1.2
Reporter: Nathan Vander Wilt
Priority: Critical
AuthSession cookies will intermittently "break" — a user will have a perfectly
valid session, but suddenly after their cookie gets refreshed they can randomly
get "logged out" for practical purposes.
The cause is that Erlang's `string:tokens` behaviour does act as this code
expects:
https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183
After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not
`["","c","d"]` but rather `["c","d"]`. So when rejoined, the signature becomes
"c:d" instead of the original ":c:d"!
It appears that using re.split/2 would avoid this problem, but yields a
list/array result containing <<"">> instead of "" types, which string:join does
not like. Should be pretty quick fix though for someone who knows just a bit
more of the Erlang way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
