[ https://issues.apache.org/jira/browse/COUCHDB-2221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joan Touzet closed COUCHDB-2221. -------------------------------- Resolution: Fixed > malformed iterations field in _users doc causes authentication hang > ------------------------------------------------------------------- > > Key: COUCHDB-2221 > URL: https://issues.apache.org/jira/browse/COUCHDB-2221 > Project: CouchDB > Issue Type: Bug > Components: Database Core > Reporter: Isaac Z. Schlueter > Assignee: Joan Touzet > > Create a user account with the following details: > { > "_id":"org.couchdb.user:test-user", > "name":"test-user", > "password":"this is a test" > "roles":[], > "type":"user" > } > CouchDB will PBKDF2-ify the password in the _users doc. So far so good. > Then, try this: > ubuntu@ip-172-31-35-228:~$ curl > http://localhost:5984/_users/org.couchdb.user:test-user -u "test-user:this is > not the correct password" -vvv > * About to connect() to localhost port 5984 (#0) > * Trying 127.0.0.1... connected > * Server auth using Basic with user 'test-user' > > GET /_users/org.couchdb.user:test-user HTTP/1.1 > > Authorization: Basic > > dGVzdHVzZXI6dGhpcyBpcyBub3QgdGhlIGNvcnJlY3QgcGFzc3dvcmQ= > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 > > zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > > Host: localhost:15984 > > Accept: */* > > > And then it hangs indefinitely. > This does not happen when the user account uses password_sha. For example: > ubuntu@ip-172-31-35-228:~$ curl > http://localhost:15984/_users/org.couchdb.user:testuserasdf -u > "testuserasdf:this is not the correct password" -vvv > * About to connect() to localhost port 15984 (#0) > * Trying 127.0.0.1... connected > * Server auth using Basic with user 'testuserasdf' > > GET /_users/org.couchdb.user:testuserasdf HTTP/1.1 > > Authorization: Basic > > dGVzdHVzZXJhc2RmOnRoaXMgaXMgbm90IHRoZSBjb3JyZWN0IHBhc3N3b3Jk > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 > > zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > > Host: localhost:15984 > > Accept: */* > > > < HTTP/1.1 401 Unauthorized > < Server: CouchDB/1.5.0 (Erlang OTP/R14B04) > < Date: Sat, 05 Apr 2014 22:58:54 GMT > < Content-Type: text/plain; charset=utf-8 > < Content-Length: 67 > < Cache-Control: must-revalidate > < > {"error":"unauthorized","reason":"Name or password is incorrect."} > * Connection #0 to host localhost left intact > * Closing connection #0 > This is a serious and urgent problem for npm. > At the urging of many people in the CouchDB and Node.js community, we've been > migrating users to pbkdf2 accounts. However, rather than quickly report > authorization failures, it hangs indefinitely, and eventually our TLS > terminator returns a 500 or our CDN returns a 503. > Because the appropriate HTTP response code is not being returned, we cannot > hope to properly handle the situation. It looks like the server has just > fallen over. Already the user experience has started to get pretty awful. > What's worse, I fear that this is a DOS exploit, because it ties up a > connection for a very long time. The npm registry is somewhat insulated by > our CDN, but any CouchDB using pbkdf2 password storage is vulnerable. -- This message was sent by Atlassian JIRA (v6.3.4#6332)