Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-1607

cookie_authentication_handler does not properly handle AuthSession signatures starting with ":" character(s)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.2
    • Fix Version/s: 1.3
    • Component/s: None
    • Labels:
      None
    • Skill Level:
      Regular Contributors Level (Easy to Medium)

      Description

      AuthSession cookies will intermittently "break" — a user will have a perfectly valid session, but suddenly after their cookie gets refreshed they can randomly get "logged out" for practical purposes.

      The cause is that Erlang's `string:tokens` behaviour does act as this code expects:
      https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L163
      https://github.com/apache/couchdb/blob/7d4181346626c0cdb50b44f7e5e33435a8ccae0f/src/couchdb/couch_httpd_auth.erl#L183

      After evaluating `[A,B | C] = string:tokens("a:b::c:d").` the value of C is not `["","c","d"]` but rather `["c","d"]`. So when rejoined, the signature becomes "c:d" instead of the original ":c:d"!

      It appears that using re.split/2 would avoid this problem, but yields a list/array result containing <<"">> instead of "" types, which string:join does not like. Should be pretty quick fix though for someone who knows just a bit more of the Erlang way.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              natevw Nathan Vander Wilt
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: