csp header parameters require semicolon separated list but seen as comment in .ini file

[mohmesflir]

Description

The [csp] header parameters (attachments_header_value, showlist_header_value, utils_header_value, and [depreciated] header_value) require a semicolon separated list but the interpreter sees the semicolon as the start of a comment and so only the first list item is loaded from the .ini file.

Steps to Reproduce

From default.ini, an example CSP section may look like:

; CSP (Content Security Policy) Support
[csp]
utils_enable = true
utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox allow-top-navigation;
attachments_enable = true
attachments_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox allow-top-navigation;
showlist_enable = true
showlist_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox allow-top-navigation;

and this can be saved in the local.d ini file using the config tool. However, when the service is restarted, only the first item in each list is loaded because the first semicolon is seen as the start of a comment.

Manually changing the settings in localhost:5984/_utils/#_config/couchdb@localhost to:

After restarting the service this is what you get:

Everything after the first semicolon is missing.

Expected Behaviour

Unfortunately CSP requires the semicolon separation and will not accept a comma. If these semicolons are changed to commas then the list reloads but fails to actually work when trying to load webpages served by the CouchDB server. So either:

• an escape character is needed for the semicolon
• the server needs to change the comma to a semicolon
• the ini loader needs to ignore the semicolon on these specific lines

Your Environment

• CouchDB version used: tested on 3.3.2 and 3.3.1
• Operating system and version: Windows Server 2022 Standard 21H2 (OS build 20348.469)

[mohmesflir]

Just tested 3.2.3 and it is loading the values correctly

[nickva]

Thank you for your report @mohmesflir. That does look like a bug. We'll try to investigate and have fix in the next release.

[nickva]

@mohmesflir this PR should fix the issue #4653