Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
1.2
-
None
-
None
-
Regular Contributors Level (Easy to Medium)
Description
AuthSession cookies will intermittently "break" — a user will have a perfectly valid session, but suddenly after their cookie gets refreshed they can randomly get "logged out" for practical purposes.
The cause is that Erlang's `string:tokens` behaviour does act as this code expects:
https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183
After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not `["","c","d"]` but rather `["c","d"]`. So when rejoined, the signature becomes "c:d" instead of the original ":c:d"!
It appears that using re.split/2 would avoid this problem, but yields a list/array result containing <<"">> instead of "" types, which string:join does not like. Should be pretty quick fix though for someone who knows just a bit more of the Erlang way.