CouchDB
  1. CouchDB
  2. COUCHDB-1275

Futon's recent database list doesn't decode slashes in database names

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1
    • Fix Version/s: 1.7.0
    • Component/s: Futon
    • Labels:
      None
    • Skill Level:
      Regular Contributors Level (Easy to Medium)

      Description

      Create a database with a slash in it, futon will go to the database view automatically and add it to the recent databases list. the list will display the encoded %2f instead of the /

      Here's a quick fix: http://friendpaste.com/1WORPAfSY5MUyoisaAQtZB

      I tested it for XSS but I may have overlooked something and I'd appreciate a review.

        Activity

        Hide
        ASF subversion and git services added a comment -

        Commit 0d5bf69314022d48a12210af1610b759440de2b7 in couchdb-futon's branch refs/heads/master from Alexander Shorin
        [ https://git-wip-us.apache.org/repos/asf?p=couchdb-futon.git;h=0d5bf69 ]

        Show decoded database names in the recently used list

        Patch made by @janl for COUCHDB-1275.

        Show
        ASF subversion and git services added a comment - Commit 0d5bf69314022d48a12210af1610b759440de2b7 in couchdb-futon's branch refs/heads/master from Alexander Shorin [ https://git-wip-us.apache.org/repos/asf?p=couchdb-futon.git;h=0d5bf69 ] Show decoded database names in the recently used list Patch made by @janl for COUCHDB-1275 .
        Alexander Shorin made changes -
        Field Original Value New Value
        Resolution Fixed [ 1 ]
        Fix Version/s 1.7.0 [ 12326160 ]
        Assignee Jan Lehnardt [ janl ]
        Status Open [ 1 ] Resolved [ 5 ]
        Hide
        ASF subversion and git services added a comment -

        Commit ee0742c502751b32bbb55fd8f685262fe87bc1ad in couchdb's branch refs/heads/1.x.x from Alexander Shorin
        [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=ee0742c ]

        Show decoded database names in the recently used list

        Patch made by @janl for COUCHDB-1275.

        Show
        ASF subversion and git services added a comment - Commit ee0742c502751b32bbb55fd8f685262fe87bc1ad in couchdb's branch refs/heads/1.x.x from Alexander Shorin [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=ee0742c ] Show decoded database names in the recently used list Patch made by @janl for COUCHDB-1275 .
        Hide
        Jan Lehnardt added a comment -

        yeah

        Show
        Jan Lehnardt added a comment - yeah
        Hide
        Sam Bisbee added a comment -

        Since there is no danger of XSS and the CSRF issues aren't related to this ticket, +1 on merge?

        Show
        Sam Bisbee added a comment - Since there is no danger of XSS and the CSRF issues aren't related to this ticket, +1 on merge?
        Hide
        Sam Bisbee added a comment -

        Ah! Gotcha. Yeah, that crossed over into CSRF territory for me.

        Show
        Sam Bisbee added a comment - Ah! Gotcha. Yeah, that crossed over into CSRF territory for me.
        Hide
        Jan Lehnardt added a comment -

        (thank you JIRA for making my point of escaping this being the solution

        Show
        Jan Lehnardt added a comment - (thank you JIRA for making my point of escaping this being the solution
        Hide
        Jan Lehnardt added a comment -

        Nope, from the browser sending that URL into Futon.

        i.e. click on this: <a href="http://127.0.01:5984/_utils?<script>alert('hello'):</script>databasename">Free Stuff</a> and it'll show up in the recent db's list via a cookie.

        Show
        Jan Lehnardt added a comment - Nope, from the browser sending that URL into Futon. i.e. click on this: <a href="http://127.0.01:5984/_utils?<script>alert('hello'):</script>databasename">Free Stuff</a> and it'll show up in the recent db's list via a cookie.
        Hide
        Sam Bisbee added a comment -

        Right, but my point is how do those db names get in there? From futon's code querying the database for db names.

        Show
        Sam Bisbee added a comment - Right, but my point is how do those db names get in there? From futon's code querying the database for db names.
        Hide
        Jan Lehnardt added a comment -

        db name restrictions don't help as Futon happily accepts bogus DB names and puts it in the recent-dbs list.

        Show
        Jan Lehnardt added a comment - db name restrictions don't help as Futon happily accepts bogus DB names and puts it in the recent-dbs list.
        Hide
        Sam Bisbee added a comment -

        Looks good to me.

        Also, we aren't open to a lot of the XSS attacks due to our db naming restrictions. That plus who you allow to create databases are the real safe guards.

        Show
        Sam Bisbee added a comment - Looks good to me. Also, we aren't open to a lot of the XSS attacks due to our db naming restrictions. That plus who you allow to create databases are the real safe guards.
        Jan Lehnardt created issue -

          People

          • Assignee:
            Jan Lehnardt
            Reporter:
            Jan Lehnardt
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development