diff options
author | Joan Touzet <joant@atypical.net> | 2018-03-02 19:12:56 -0500 |
---|---|---|
committer | Joan Touzet <joant@atypical.net> | 2018-03-05 16:41:24 -0500 |
commit | 6e6f152eff4f9446221c64f96bd1ba310410721b (patch) | |
tree | cc46a22d6cd8ebca207925638f0d6e7c357c62f1 | |
parent | 51cb6aecc42eaa12058113003a3b4af7234250a8 (diff) | |
download | couchdb-1198-no-5986-fauxton.tar.gz |
Prevent access to Fauxton on node-local port (5986)1198-no-5986-fauxton
Will help stop people shooting themselves in the foot and/or using
node-local CouchDB as their "main" CouchDB port.
Closes #1198
-rw-r--r-- | src/chttpd/test/chttpd_csp_tests.erl (renamed from src/couch/test/couchdb_csp_tests.erl) | 11 | ||||
-rw-r--r-- | src/couch/src/couch_httpd_misc_handlers.erl | 25 | ||||
-rw-r--r-- | src/couch/test/couchdb_vhosts_tests.erl | 25 |
3 files changed, 7 insertions, 54 deletions
diff --git a/src/couch/test/couchdb_csp_tests.erl b/src/chttpd/test/chttpd_csp_tests.erl index 5eb33f909..e86436254 100644 --- a/src/couch/test/couchdb_csp_tests.erl +++ b/src/chttpd/test/chttpd_csp_tests.erl @@ -10,29 +10,28 @@ % License for the specific language governing permissions and limitations under % the License. --module(couchdb_csp_tests). +-module(chttpd_csp_tests). -include_lib("couch/include/couch_eunit.hrl"). --define(TIMEOUT, 1000). - setup() -> ok = config:set("csp", "enable", "true", false), - Addr = config:get("httpd", "bind_address", "127.0.0.1"), - Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)), + Addr = config:get("chttpd", "bind_address", "127.0.0.1"), + Port = mochiweb_socket_server:get(chttpd, port), lists:concat(["http://", Addr, ":", Port, "/_utils/"]). teardown(_) -> ok. + csp_test_() -> { "Content Security Policy tests", { setup, - fun test_util:start_couch/0, fun test_util:stop_couch/1, + fun chttpd_test_util:start_couch/0, fun chttpd_test_util:stop_couch/1, { foreach, fun setup/0, fun teardown/1, diff --git a/src/couch/src/couch_httpd_misc_handlers.erl b/src/couch/src/couch_httpd_misc_handlers.erl index ddc3d64b0..e2fc9f2fc 100644 --- a/src/couch/src/couch_httpd_misc_handlers.erl +++ b/src/couch/src/couch_httpd_misc_handlers.erl @@ -61,30 +61,9 @@ handle_file_req(#httpd{method='GET'}=Req, Document) -> handle_file_req(Req, _) -> send_method_not_allowed(Req, "GET,HEAD"). -handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) -> - "/" ++ UrlPath = couch_httpd:path(Req), - case couch_httpd:partition(UrlPath) of - {_ActionKey, "/", RelativePath} -> - % GET /_utils/path or GET /_utils/ - CachingHeaders = [{"Cache-Control", "private, must-revalidate"}], - EnableCsp = config:get("csp", "enable", "false"), - Headers = maybe_add_csp_headers(CachingHeaders, EnableCsp), - couch_httpd:serve_file(Req, RelativePath, DocumentRoot, Headers); - {_ActionKey, "", _RelativePath} -> - % GET /_utils - RedirectPath = couch_httpd:path(Req) ++ "/", - couch_httpd:send_redirect(Req, RedirectPath) - end; handle_utils_dir_req(Req, _) -> - send_method_not_allowed(Req, "GET,HEAD"). - -maybe_add_csp_headers(Headers, "true") -> - DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; " - "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", - Value = config:get("csp", "header_value", DefaultValues), - [{"Content-Security-Policy", Value} | Headers]; -maybe_add_csp_headers(Headers, _) -> - Headers. + send_error(Req, 410, <<"no_node_local_fauxton">>, + ?l2b("The web interface is no longer available on the node-local port.")). handle_all_dbs_req(#httpd{method='GET'}=Req) -> diff --git a/src/couch/test/couchdb_vhosts_tests.erl b/src/couch/test/couchdb_vhosts_tests.erl index dfac73cb3..2562a0653 100644 --- a/src/couch/test/couchdb_vhosts_tests.erl +++ b/src/couch/test/couchdb_vhosts_tests.erl @@ -46,14 +46,6 @@ setup() -> couch_db:ensure_full_commit(Db), couch_db:close(Db), - test_util:with_process_restart(couch_httpd, fun() -> - config:set("httpd_global_handlers", "_utils", - "{couch_httpd_misc_handlers, handle_utils_dir_req, <<\"" - ++ ?TEMPDIR - ++ "\">>}" - ) - end), - Addr = config:get("httpd", "bind_address", "127.0.0.1"), Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)), Url = "http://" ++ Addr ++ ":" ++ Port, @@ -76,7 +68,6 @@ vhosts_test_() -> [ fun should_return_database_info/1, fun should_return_revs_info/1, - fun should_serve_utils_for_vhost/1, fun should_return_virtual_request_path_field_in_request/1, fun should_return_real_request_path_field_in_request/1, fun should_match_wildcard_vhost/1, @@ -122,22 +113,6 @@ should_return_revs_info({Url, DbName}) -> end end). -should_serve_utils_for_vhost({Url, DbName}) -> - ?_test(begin - ok = config:set("vhosts", "example.com", "/" ++ DbName, false), - ensure_index_file(), - case test_request:get(Url ++ "/_utils/index.html", [], - [{host_header, "example.com"}]) of - {ok, _, _, Body} -> - ?assertMatch(<<"<!DOCTYPE html>", _/binary>>, Body); - Else -> - erlang:error({assertion_failed, - [{module, ?MODULE}, - {line, ?LINE}, - {reason, ?iofmt("Request failed: ~p", [Else])}]}) - end - end). - should_return_virtual_request_path_field_in_request({Url, DbName}) -> ?_test(begin ok = config:set("vhosts", "example1.com", |