CouchDB
  1. CouchDB
  2. COUCHDB-1275

Futon's recent database list doesn't decode slashes in database names

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.1
    • Fix Version/s: None
    • Component/s: Futon
    • Labels:
      None
    • Skill Level:
      Regular Contributors Level (Easy to Medium)

      Description

      Create a database with a slash in it, futon will go to the database view automatically and add it to the recent databases list. the list will display the encoded %2f instead of the /

      Here's a quick fix: http://friendpaste.com/1WORPAfSY5MUyoisaAQtZB

      I tested it for XSS but I may have overlooked something and I'd appreciate a review.

        Activity

        Hide
        Jan Lehnardt added a comment -

        yeah

        Show
        Jan Lehnardt added a comment - yeah
        Hide
        Sam Bisbee added a comment -

        Since there is no danger of XSS and the CSRF issues aren't related to this ticket, +1 on merge?

        Show
        Sam Bisbee added a comment - Since there is no danger of XSS and the CSRF issues aren't related to this ticket, +1 on merge?
        Hide
        Sam Bisbee added a comment -

        Ah! Gotcha. Yeah, that crossed over into CSRF territory for me.

        Show
        Sam Bisbee added a comment - Ah! Gotcha. Yeah, that crossed over into CSRF territory for me.
        Hide
        Jan Lehnardt added a comment -

        (thank you JIRA for making my point of escaping this being the solution

        Show
        Jan Lehnardt added a comment - (thank you JIRA for making my point of escaping this being the solution
        Hide
        Jan Lehnardt added a comment -

        Nope, from the browser sending that URL into Futon.

        i.e. click on this: <a href="http://127.0.01:5984/_utils?<script>alert('hello'):</script>databasename">Free Stuff</a> and it'll show up in the recent db's list via a cookie.

        Show
        Jan Lehnardt added a comment - Nope, from the browser sending that URL into Futon. i.e. click on this: <a href="http://127.0.01:5984/_utils?<script>alert('hello'):</script>databasename">Free Stuff</a> and it'll show up in the recent db's list via a cookie.
        Hide
        Sam Bisbee added a comment -

        Right, but my point is how do those db names get in there? From futon's code querying the database for db names.

        Show
        Sam Bisbee added a comment - Right, but my point is how do those db names get in there? From futon's code querying the database for db names.
        Hide
        Jan Lehnardt added a comment -

        db name restrictions don't help as Futon happily accepts bogus DB names and puts it in the recent-dbs list.

        Show
        Jan Lehnardt added a comment - db name restrictions don't help as Futon happily accepts bogus DB names and puts it in the recent-dbs list.
        Hide
        Sam Bisbee added a comment -

        Looks good to me.

        Also, we aren't open to a lot of the XSS attacks due to our db naming restrictions. That plus who you allow to create databases are the real safe guards.

        Show
        Sam Bisbee added a comment - Looks good to me. Also, we aren't open to a lot of the XSS attacks due to our db naming restrictions. That plus who you allow to create databases are the real safe guards.
        Jan Lehnardt created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            Jan Lehnardt
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development