Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-1922

CORS bug with reduce_headers and ?SIMPLE_HEADERS

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: HTTP Interface
    • Labels:
      None

      Description

      The current implementation of couch_httpd_cors:reduce_headers0/3 has a bug in matching against couch_httpd_cors:member_nocase/2, where the atom `true` should actually be the atom `false`: [1].

      This currently has the effect of never removing the disallowed elements from the list, as desired. The immediate fix of `s/true/false/` on that line breaks two additional tests that expect the "Server" header to be passed through to the response, because "Server" is not in the list `?SIMPLE_HEADERS` [2], nor should it be as per the spec [3].

      We'll want to construct a list of allowed headers that is the union of the simple headers and the allowed CouchDB headers, like "Server".

      [1] https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L248
      [2] https://github.com/apache/couchdb/blob/master/src/couchdb/couch_httpd_cors.erl#L35-L37
      [3] http://www.w3.org/TR/cors/#simple-header

        Activity

        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 4f619833695abb38b25d670c88bfdf9324c79f40 in branch refs/heads/master from Russell Branca
        [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=4f61983 ]

        COUCHDB-1922: fix CORS exposed headers

        Show
        jira-bot ASF subversion and git services added a comment - Commit 4f619833695abb38b25d670c88bfdf9324c79f40 in branch refs/heads/master from Russell Branca [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=4f61983 ] COUCHDB-1922 : fix CORS exposed headers
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit ef79a7c8b77c28d3ed1178803636b11de0e0aec6 in branch refs/heads/1922-cors-reduce-headers from Russell Branca
        [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=ef79a7c ]

        COUCHDB-1922: fix CORS exposed headers

        Show
        jira-bot ASF subversion and git services added a comment - Commit ef79a7c8b77c28d3ed1178803636b11de0e0aec6 in branch refs/heads/1922-cors-reduce-headers from Russell Branca [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=ef79a7c ] COUCHDB-1922 : fix CORS exposed headers
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit a9486d2668939fb87a7298d31a7717be0d1912cc in branch refs/heads/1922-cors-reduce-headers from Russell Branca
        [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=a9486d2 ]

        COUCHDB-1922: fix CORS exposed headers

        Show
        jira-bot ASF subversion and git services added a comment - Commit a9486d2668939fb87a7298d31a7717be0d1912cc in branch refs/heads/1922-cors-reduce-headers from Russell Branca [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=a9486d2 ] COUCHDB-1922 : fix CORS exposed headers
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 0a6dead37b6ced514ba0a7e258435b0bcc992f68 in branch refs/heads/1922-cors-reduce-headers from Russell Branca
        [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=0a6dead ]

        COUCHDB-1922: Demonstration of bug

        Show
        jira-bot ASF subversion and git services added a comment - Commit 0a6dead37b6ced514ba0a7e258435b0bcc992f68 in branch refs/heads/1922-cors-reduce-headers from Russell Branca [ https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=0a6dead ] COUCHDB-1922 : Demonstration of bug

          People

          • Assignee:
            chewbranca Russell Branca
            Reporter:
            chewbranca Russell Branca
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development