sbisbee at computervip.com
Tue Feb 16 22:58:45 UTC 2010
On Mon, Feb 15, 2010 at 09:44:07PM +0100, Florian Weimer wrote:
> Package: couchdb
> Version: 0.10.0-1
> Tags: upstream important
> You cannot use a RESTful interface from a browser because it is open
> to CSRF attacks. Using an HttpOnly cookie is not sufficient because
> some of our browsers do not support HttpOnly.
I'm not sure I understand what you're referring to here. It seems like you're
worried that Futon will send some sort of malicious attack to a Futon user. In
my opinion that is as likely as a malicious attack coming from an Apache httpd
server - it depends on what the user is doing or sending, not the server
> attachment back to the browser for execution, offering yet another
> attack vector which also affects browsers with HttpOnly support.
not on the client. If you are worried about users uploading malicious scripts
to a document that would run in someone's browser (which I think is your main
point from your mailing list post), then I don't think there's anything that
couchdb can do to stop that out of the box. The onus is on your application to
filter your data, just like it is with MySQL or any other database I can think
of (though you could do this filtering in couchdb with a validation function).
> But lenny is exposed in a rather different way; it does not seem to
> offer any authentication at all.
Authentication has been in development for couchdb for quite some time, being
applied in different stages over the releases. Feel free to check out the
copious amounts of documentation about authentication and couchdb on upstream's
mailing list, wiki, etc.
More information about the Pkg-erlang-devel