Package: couchdb Version: 0.10.0-1 Tags: upstream important You cannot use a RESTful interface from a browser because it is open to CSRF attacks. Using an HttpOnly cookie is not sufficient because some of our browsers do not support HttpOnly.
Furthermore, couchdb serves back Javascript contained in database attachment back to the browser for execution, offering yet another attack vector which also affects browsers with HttpOnly support. This has already been reported upstream, not realizing that we've shipped it in lenny (with no response from upstream so far): http://mail-archives.apache.org/mod_mbox/couchdb-dev/201002.mbox/%3c87bpfz5t39....@mid.deneb.enyo.de%3e But lenny is exposed in a rather different way; it does not seem to offer any authentication at all. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/873a12p6ug....@mid.deneb.enyo.de
