[
https://issues.apache.org/jira/browse/COUCHDB-2221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joan Touzet closed COUCHDB-2221.
--------------------------------
Resolution: Fixed
> malformed iterations field in _users doc causes authentication hang
> -------------------------------------------------------------------
>
> Key: COUCHDB-2221
> URL: https://issues.apache.org/jira/browse/COUCHDB-2221
> Project: CouchDB
> Issue Type: Bug
> Components: Database Core
> Reporter: Isaac Z. Schlueter
> Assignee: Joan Touzet
>
> Create a user account with the following details:
> {
> "_id":"org.couchdb.user:test-user",
> "name":"test-user",
> "password":"this is a test"
> "roles":[],
> "type":"user"
> }
> CouchDB will PBKDF2-ify the password in the _users doc. So far so good.
> Then, try this:
> ubuntu@ip-172-31-35-228:~$ curl
> http://localhost:5984/_users/org.couchdb.user:test-user -u "test-user:this is
> not the correct password" -vvv
> * About to connect() to localhost port 5984 (#0)
> * Trying 127.0.0.1... connected
> * Server auth using Basic with user 'test-user'
> > GET /_users/org.couchdb.user:test-user HTTP/1.1
> > Authorization: Basic
> > dGVzdHVzZXI6dGhpcyBpcyBub3QgdGhlIGNvcnJlY3QgcGFzc3dvcmQ=
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1
> > zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Host: localhost:15984
> > Accept: */*
> >
> And then it hangs indefinitely.
> This does not happen when the user account uses password_sha. For example:
> ubuntu@ip-172-31-35-228:~$ curl
> http://localhost:15984/_users/org.couchdb.user:testuserasdf -u
> "testuserasdf:this is not the correct password" -vvv
> * About to connect() to localhost port 15984 (#0)
> * Trying 127.0.0.1... connected
> * Server auth using Basic with user 'testuserasdf'
> > GET /_users/org.couchdb.user:testuserasdf HTTP/1.1
> > Authorization: Basic
> > dGVzdHVzZXJhc2RmOnRoaXMgaXMgbm90IHRoZSBjb3JyZWN0IHBhc3N3b3Jk
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1
> > zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Host: localhost:15984
> > Accept: */*
> >
> < HTTP/1.1 401 Unauthorized
> < Server: CouchDB/1.5.0 (Erlang OTP/R14B04)
> < Date: Sat, 05 Apr 2014 22:58:54 GMT
> < Content-Type: text/plain; charset=utf-8
> < Content-Length: 67
> < Cache-Control: must-revalidate
> <
> {"error":"unauthorized","reason":"Name or password is incorrect."}
> * Connection #0 to host localhost left intact
> * Closing connection #0
> This is a serious and urgent problem for npm.
> At the urging of many people in the CouchDB and Node.js community, we've been
> migrating users to pbkdf2 accounts. However, rather than quickly report
> authorization failures, it hangs indefinitely, and eventually our TLS
> terminator returns a 500 or our CDN returns a 503.
> Because the appropriate HTTP response code is not being returned, we cannot
> hope to properly handle the situation. It looks like the server has just
> fallen over. Already the user experience has started to get pretty awful.
> What's worse, I fear that this is a DOS exploit, because it ties up a
> connection for a very long time. The npm registry is somewhat insulated by
> our CDN, but any CouchDB using pbkdf2 password storage is vulnerable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
