wohali commented on issue #856: Bypass authentication check for /_up URL: https://github.com/apache/couchdb/pull/856#issuecomment-333575446 from IRC: ```irc 11:41 <+rnewson> hm, yes, I see your point. 11:41 <+Wohali> if i don't punch a hole through couch_httpd_auth:default_authentication_handler, there's no way to actually get to chttpd_auth_request 11:41 <+Wohali> and chttpd_auth_request already has the right settings for _up 11:42 <+rnewson> well, that hole won't be sufficient but I understand 11:42 <+rnewson> a request with a cookie would not go through there (etc) 11:43 <+Wohali> yeah 11:43 <+Wohali> but the assumption is this is just for healthcheck services that won't supply any creds 11:44 <+rnewson> yes, understood. 11:44 <+rnewson> but require_valid_user=true is defined as requiring authentication for every request (even _session, which is at least as silly as _up) 11:44 <+Wohali> i guess i could add an entirely new {couch_httpd_auth, massive_security_hole_authentication_handler} 11:44 <+rnewson> so we'd need another config to punch a hole in that, rather than change what require_valid_user=true means. 11:45 <+rnewson> so long as there's a config setting (default to current behaviour) I'm ok with the proposed change (though not necessarily the impl) 11:45 <+Wohali> ok, will look at later ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
With regards, Apache Git Services
