Remove new CSRF mechanism

author: Robert Newson <rnewson@apache.org> 2015-09-10 12:26:29 +0100
committer: Robert Newson <rnewson@apache.org> 2015-09-10 14:00:46 +0100
commit: dda4a5f220fa5d3c705b784c9bb1f1dbe776d724 (patch)
tree: 357706408ca04302e00bb919b7efa950587254a0
parent: a84fcb2d98af2781b2c595c15d84ced5474de09c (diff)
download: couchdb-dda4a5f220fa5d3c705b784c9bb1f1dbe776d724.tar.gz
2 files changed, 2 insertions, 89 deletions
diff --git a/dev/run b/dev/run
index e519fa6ed..06c96be16 100755
--- a/dev/run
+++ b/dev/run
@@ -30,7 +30,6 @@ import uuid
 from pbkdf2 import pbkdf2_hex
 
 COMMON_SALT = uuid.uuid4().hex
-COMMON_CSRF_SECRET = uuid.uuid4().hex
 
 try:
     from urllib import urlopen
@@ -259,11 +258,9 @@ def hack_local_ini(ctx, contents):
     previous_line = "; require_valid_user = false\n"
     contents = contents.replace(previous_line, previous_line + secret_line)
 
-    csrf_secret = '\n\n[csrf]\nsecret = %s\n' % COMMON_CSRF_SECRET
-
     if ctx['with_admin_party']:
         ctx['admin'] = ('Admin Party!', 'You do not need any password.')
-        return contents + csrf_secret
+        return contents
 
     # handle admin credentials passed from cli or generate own one
     if ctx['admin'] is None:
@@ -271,7 +268,7 @@ def hack_local_ini(ctx, contents):
     else:
         user, pswd = ctx['admin']
 
-    return contents + "\n%s = %s" % (user, hashify(pswd)) + csrf_secret
+    return contents + "\n%s = %s" % (user, hashify(pswd))
 
 
 def gen_password():
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
deleted file mode 100644
index e16e78b49..000000000
--- a/test/javascript/tests/csrf.js
+++ /dev/null
@@ -1,84 +0,0 @@
-// Licensed under the Apache License, Version 2.0 (the "License"); you may not
-// use this file except in compliance with the License. You may obtain a copy of
-// the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-// License for the specific language governing permissions and limitations under
-// the License.
-
-couchTests.csrf = function(debug) {
-  var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"});
-  db.deleteDb();
-  db.createDb();
-
-  if (debug) debugger;
-
-  // Handy function to cause CouchDB to delete the CSRF cookie
-  var deleteCsrf = function() {
-    var xhr = CouchDB.request("POST", "/_session", {
-                              body: 'name=foo&password=bar',
-                              headers: {'X-CouchDB-CSRF': 'foo',
-                                        'Content-Type': 'application/x-www-form-urlencoded',
-                                        'Cookie': 'CouchDB-CSRF=foo'}});
-    TEquals(403, xhr.status);
-  };
-
-  var testFun = function () {
-  // Shouldn't receive header if we didn't ask for it
-  var xhr = CouchDB.request("GET", "/");
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF");
-  TEquals(200, xhr.status);
-
-  // Matching but invalid cookie/header should 403
-  xhr = CouchDB.request("POST", "/_session", {
-                        body: 'name=foo&password=bar',
-                        headers: {'X-CouchDB-CSRF': 'foo',
-                                  'Content-Type': 'application/x-www-form-urlencoded',
-                                  'Cookie': 'CouchDB-CSRF=foo'}});
-  TEquals(403, xhr.status);
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header");
-
-  // Can I acquire a CouchDB-CSRF cookie?
-  xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'true'}});
-  var cookie = xhr.getResponseHeader("Set-Cookie").match('^CouchDB-CSRF=([^;]+)');
-  T(cookie, "Should receive cookie");
-
-  // If I have a cookie, do I get a 403 if I don't send the header?
-  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
-                                              headers: {'Content-Type':
-                                                        'application/x-www-form-urlencoded'}});
-  TEquals(403, xhr.status);
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
-
-  // If I have a cookie, do I get a 200 if I send a matching header?
-  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
-                                              headers: {"X-CouchDB-CSRF": cookie[1],
-                                                        'Content-Type': 'application/x-www-form-urlencoded'}});
-  TEquals(200, xhr.status);
-  TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this");
-
-  // How about the wrong header?
-  xhr = CouchDB.request("POST", "/_session", {body: 'name=foo&password=bar',
-                                              headers: {'X-CouchDB-CSRF': 'foo',
-                                                        'Content-Type': 'application/x-www-form-urlencoded'}});
-  TEquals(403, xhr.status);
-  TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
-
-  deleteCsrf();
-  };
-
-  run_on_modified_server(
-    [
-     {section: "couch_httpd_auth",
-      key: "iterations", value: "1"},
-     {section: "admins",
-       key: "foo", value: "bar"}
-    ],
-    testFun
-  );
-
-};
author	Robert Newson <rnewson@apache.org>	2015-09-10 12:26:29 +0100
committer	Robert Newson <rnewson@apache.org>	2015-09-10 14:00:46 +0100
commit	dda4a5f220fa5d3c705b784c9bb1f1dbe776d724 (patch)
tree	357706408ca04302e00bb919b7efa950587254a0
parent	a84fcb2d98af2781b2c595c15d84ced5474de09c (diff)
download	couchdb-dda4a5f220fa5d3c705b784c9bb1f1dbe776d724.tar.gz