Firstly, security issues (even suspected ones) should not be posted to a public
mailing list (use secur...@couchdb.apache.org)
Secondly, you ask "Shouldn't couchdb prevent the author field from being
updated?"
The answer, of course is, "Yes, if a validate_doc_update function prevents it".
Yours doesn't but should.
B.
On 29 Aug 2012, at 19:28, Wordit wrote:
> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
>
> function (newDoc, oldDoc, userCtx) {
> if (newDoc.author) {
> if(newDoc.author != userCtx.name) {
> throw({"forbidden": "You may only update documents with author " +
> userCtx.name});
> }
> }
> }
>
> A user who is *not* newDoc.author will be prevented from updating the
> document when editing. So far so good. However, to get around security
> and edit the document, a user who is not author, only has to change
> the author field to their name. Voila, they can now edit all other
> fields. Works in Futon in two steps, from Curl in one step.
>
> I've been testing this on iriscouch.com, so it's the currently hosted
> version I'm referring to. I first noticed using curl. Something like
> this:
>
> db has two fields.
> author: usera
> text: my wonderful text
>
> The goal is to change field "text" as another user, e.g. "userb".
> userb just has to update the author field from usera to userb:
>
> curl -X PUT http://userb:pa...@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"3-456","author":"userb"}' -H "Content-type:
> application/json"
>
> couch returns new _rev:4-567
>
> Now the document belongs to userb, the text field can be updated.
>
> curl -X PUT http://userb:pa...@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
> "Content-type: application/json"
>
> Actually, it worked in one go for me to just overwrite the author
> field and change other fields. It didn't require two steps in Curl.
>
> Shouldn't couchdb prevent the author field from being updated? It
> seems this only works with the name of the currently authenticated
> user. You cannot enter just anything into the author field.
>
> Can anyone confirm, and if this is correct, how can the document be secured?
>
> Thanks,
>
> Marcus
