Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.0
-
None
-
None
-
CouchDB trunk, erl R13B04
Description
Untrusted, unsanitized user input should not be converted to atoms because it allows the user to fill up the atom table in the VM, wasting memory and eventually causing a couchdb crash.
If rewriting is enabled (which it is by default), and if an attacker knows a database and ddoc name (even if the ddoc has no _rewrite rules), the attacker can permanently enter atoms into system.
I have not exhaustively audited couch_httpd_rewrite.erl but for instance handle_rewrite_req/3 converts all URL query keys to atoms.
[info] [<0.38.0>] Apache CouchDB has started on http://0.0.0.0:5984/
1> erlang:list_to_existing_atom("do_i_exist").
-
- exception error: bad argument
in function list_to_existing_atom/1
called as list_to_existing_atom("do_i_exist")
- exception error: bad argument
$ curl -X PUT localhost:5984/ex
{"ok":true}$ curl -X PUT localhost:5984/ex/_design/ex -d {}
{"ok":true,"id":"_design/ex","rev":"1-967a00dff5e02add41819138abb3284d"}$ curl http://localhost:5984/ex/_design/ex/_rewrite?do_i_exist=blah
{"error":"rewrite_error","reason":"Invalid path."} 2> [info] [<0.109.0>] 127.0.0.1 - - 'GET' /ex/_design/ex/_rewrite?do_i_exist=blah 404
2> erlang:list_to_existing_atom("do_i_exist").
do_i_exist