Use cookie authentication during replication

.travis.yml

@@ -4,7 +4,7 @@ before_install:
    - sudo apt-get -y install libtool automake autoconf autoconf-archive
    - sudo apt-get -y install texlive-latex-base texlive-latex-recommended
    - sudo apt-get -y install texlive-latex-extra texlive-fonts-recommended texinfo
-   - sudo apt-get -y install python-pygments python-docutils python-sphinx 
+   - sudo apt-get -y install python-pygments python-docutils python-sphinx
 before_script: ./bootstrap && ./configure
 script:
    - make distcheck
@@ -13,6 +13,7 @@ script:
    - grunt test
 language: erlang
 otp_release:
-   - R16B
+   - 17.0
+   - R16B03-1
    - R15B03
    - R14B04

INSTALL.Unix

@@ -39,10 +39,10 @@ Dependencies
 
 You should have the following installed:
 
- * Erlang OTP (>=R13B04, <R17)  (http://erlang.org/)
+ * Erlang OTP (>=R14B01, =<R17) (http://erlang.org/)
  * ICU                          (http://icu-project.org/)
  * OpenSSL                      (http://www.openssl.org/)
- * Mozilla SpiderMonkey (1.7)   (http://www.mozilla.org/js/spidermonkey/)
+ * Mozilla SpiderMonkey (1.8.5) (http://www.mozilla.org/js/spidermonkey/)
  * GNU Make                     (http://www.gnu.org/software/make/)
  * GNU Compiler Collection      (http://gcc.gnu.org/)
  * libcurl                      (http://curl.haxx.se/libcurl/)
@@ -94,20 +94,20 @@ RedHat-based (Fedora, Centos, RHEL) Systems
 
 You can install the dependencies by running:
 
-    sudo yum groupinstall "Development Tools"
     sudo yum install autoconf
     sudo yum install autoconf-archive
     sudo yum install automake
-    sudo yum install libtool
-    sudo yum install perl-Test-Harness
-    sudo yum install erlang-etap
+    sudo yum install curl-devel
+    sudo yum install erlang-asn1
     sudo yum install erlang-erts
-    sudo yum install erlang-os_mon
     sudo yum install erlang-eunit
-    sudo yum install libicu-devel
+    sudo yum install erlang-os_mon
+    sudo yum install erlang-xmerl
+    sudo yum install help2man
     sudo yum install js-devel
-    sudo yum install curl-devel
-    sudo yum install pkg-config
+    sudo yum install libicu-devel
+    sudo yum install libtool
+    sudo yum install perl-Test-Harness
 
 While CouchDB builds against the default js-devel-1.7.0 included in
 some distributions, it's recommended to use a more recent

acinclude.m4.in

@@ -17,10 +17,10 @@ m4_define([LOCAL_PACKAGE_TARNAME], [apache-couchdb])
 m4_define([LOCAL_PACKAGE_NAME], [Apache CouchDB])
 m4_define([LOCAL_BUG_URI], [https://issues.apache.org/jira/browse/COUCHDB])
 m4_define([LOCAL_VERSION_MAJOR], [1])
-m4_define([LOCAL_VERSION_MINOR], [6])
+m4_define([LOCAL_VERSION_MINOR], [7])
 m4_define([LOCAL_VERSION_REVISION], [0])
-m4_define([LOCAL_VERSION_STAGE], [+build])
-m4_define([LOCAL_VERSION_RELEASE], [.%revision%])
+m4_define([LOCAL_VERSION_STAGE], [])
+m4_define([LOCAL_VERSION_RELEASE], [])
 m4_define([LOCAL_VERSION_PRIMARY],
     [LOCAL_VERSION_MAJOR.LOCAL_VERSION_MINOR.LOCAL_VERSION_REVISION])
 m4_define([LOCAL_VERSION_SECONDARY],

bin/couchdb.tpl.in

@@ -270,6 +270,9 @@ start_couchdb () {
         echo "Apache CouchDB has started, time to relax."
     else
         if test "$RECURSED" = "true"; then
+            # close stdout / stderr
+            exec 1>&-
+            exec 2>&-
             while true; do
                 export HEART_COMMAND
                 export HEART_BEAT_TIMEOUT

configure.ac

@@ -33,6 +33,10 @@ AC_DISABLE_STATIC
 AC_PROG_CC
 LT_INIT([win32-dll])
 LT_INIT
+AS_IF([test x"${enable_shared}" = "xno"], [
+  AC_MSG_ERROR([System as configured cannot build shared libraries.])
+])
+
 AC_PROG_LN_S
 
 PKG_PROG_PKG_CONFIG
@@ -411,32 +415,36 @@ esac
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking Erlang version compatibility" >&5
 $as_echo_n "checking Erlang version compatibility... " >&6; }
-erlang_version_error="The installed Erlang version must be >= R14B (erts-5.8.1) and <R17 (erts-5.11)"
+erlang_version_error="The installed Erlang version must be >= R14B (erts-5.8.1) and =< 17 (erts-6.0)"
 
 version="`${ERL} -version 2>&1 | ${SED} 's/[[^0-9]]/ /g'` 0 0 0"
 major_version=`echo $version | ${AWK} "{print \\$1}"`
 minor_version=`echo $version | ${AWK} "{print \\$2}"`
 patch_version=`echo $version | ${AWK} "{print \\$3}"`
+echo -n "detected Erlang version: $major_version.$minor_version.$patch_version..."
 
-if test $major_version -ne 5; then
-    as_fn_error $? "$erlang_version_error" "$LINENO" 5
+if test $major_version -lt 5 -o $major_version -gt 6; then
+    as_fn_error $? "$erlang_version_error major_version does not match" "$LINENO" 5
 fi
 
-if test $minor_version -lt 8 -o $minor_version -gt 10; then
-    as_fn_error $? "$erlang_version_error" "$LINENO" 5
+if test $major_version -eq 5 -a $minor_version -lt 8; then
+    as_fn_error $? "$erlang_version_error minor_version does not match" "$LINENO" 5
 fi
 
 AC_MSG_RESULT(compatible)
 
+# returns 17 for erts-6.0, and R14B03 or similar for earlier releases
 otp_release="`\
     ${ERL} -noshell \
     -eval 'io:put_chars(erlang:system_info(otp_release)).' \
     -s erlang halt`"
 
 AC_SUBST(otp_release)
 
-AM_CONDITIONAL([USE_OTP_NIFS], [test x$otp_release \> xR13B03])
-AM_CONDITIONAL([USE_EJSON_COMPARE_NIF], [test x$otp_release \> xR14B03])
+AM_CONDITIONAL([USE_OTP_NIFS],
+    [can_use_nifs=$(echo $otp_release | grep -E "^(R14B|R15|R16|17)")])
+AM_CONDITIONAL([USE_EJSON_COMPARE_NIF],
+    [can_use_ejson=$(echo $otp_release | grep -E "^(R14B03|R15|R16|17)")])
 
 has_crypto=`\
     ${ERL} -eval "\

etc/couchdb/default.ini.tpl.in

@@ -68,7 +68,7 @@ include_sasl = true
 authentication_db = _users
 authentication_redirect = /_utils/session.html
 require_valid_user = false
-timeout = 600 ; number of seconds before automatic logout
+timeout = 600 ; The number of seconds before automatic logout. The minimum value is 60, and any value less 60 will be ignored.
 auth_cache_size = 50 ; size is number of cache entries
 allow_persistent_cookies = false ; set to true to allow persistent cookies
 iterations = 10 ; iterations for password hashing

etc/couchdb/local.ini

@@ -75,6 +75,15 @@ verify_ssl_certificates = false
 ;verify_fun = {Module, VerifyFun}
 ; maximum peer certificate depth
 ssl_certificate_max_depth = 1
+;
+; Reject renegotiations that do not live up to RFC 5746.
+;secure_renegotiate = true
+; The cipher suites that should be supported.
+; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
+; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
+;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
+; The SSL/TLS versions to support
+;tls_versions = [sslv3, tlsv1, 'tlsv1.1', 'tlsv1.2']
 
 ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
 ; the Virual Host will be redirected to the path. In the example below all requests

share/Makefile.am

@@ -59,6 +59,7 @@ nobase_dist_localdata_DATA = \
     www/dialog/_admin_party.html \
     www/dialog/_change_password.html \
     www/dialog/_compact_cleanup.html \
+    www/dialog/_copy_document.html \
     www/dialog/_create_admin.html \
     www/dialog/_login.html \
     www/dialog/_signup.html \
@@ -101,6 +102,7 @@ nobase_dist_localdata_DATA = \
     www/image/bg.png \
     www/image/cancel.gif \
     www/image/compact.png \
+    www/image/copy.png \
     www/image/delete-mini.png \
     www/image/delete.png \
     www/image/grippie.gif \
@@ -142,7 +144,7 @@ nobase_dist_localdata_DATA = \
     www/script/jquery.editinline.js \
     www/script/jquery.form.js \
     www/script/jquery.js \
-    www/script/jquery-ui-1.8.11.custom.min.js \
+    www/script/jquery-ui-1.9.2.custom.min.js \
     www/script/jquery.resizer.js \
     www/script/jquery.suggest.js \
     www/script/json2.js \

share/doc/build/Makefile.am

@@ -390,6 +390,7 @@ src_files = \
     ../src/cve/2012-5641.rst \
     ../src/cve/2012-5649.rst \
     ../src/cve/2012-5650.rst \
+    ../src/cve/2014-2668.rst \
     ../src/cve/index.rst \
     ../src/fauxton/addons.rst \
     ../src/fauxton/index.rst \
@@ -449,6 +450,7 @@ src_files_html = \
     ../templates/layout.html \
     ../templates/help.html \
     ../templates/searchbox.html \
+    ../templates/tracking.html \
     ../templates/utilities.html
 
 sphinx_extensions = \

share/doc/src/api/ddoc/views.rst

@@ -32,9 +32,9 @@
     Ignored if `include_docs` isn't ``true``. Default is ``false``
   :query boolean descending: Return the documents in descending by key order.
     Default is ``false``
-  :query string endkey: Stop returning records when the specified key is
+  :query json endkey: Stop returning records when the specified key is
     reached. *Optional*
-  :query string end_key: Alias for `endkey` param
+  :query json end_key: Alias for `endkey` param
   :query string endkey_docid: Stop returning records when the specified
     document ID is reached. *Optional*
   :query string end_key_doc_id: Alias for `endkey_docid` param
@@ -52,7 +52,7 @@
     compressed. Ignored if `include_docs` isn't ``true``. Default is ``false``.
   :query boolean inclusive_end: Specifies whether the specified end key should
     be included in the result. Default is ``true``
-  :query string key: Return only documents that match the specified key.
+  :query json key: Return only documents that match the specified key.
     *Optional*
   :query number limit: Limit the number of the returned documents to the
     specified number. *Optional*
@@ -61,9 +61,9 @@
     the results. Default is ``0``
   :query string stale: Allow the results from a stale view to be used.
     Supported values: ``ok`` and ``update_after``. *Optional*
-  :query string startkey: Return records starting with the specified key.
+  :query json startkey: Return records starting with the specified key.
     *Optional*
-  :query string start_key: Alias for `startkey` param
+  :query json start_key: Alias for `startkey` param
   :query string startkey_docid: Return records starting with the specified
     document ID. *Optional*
   :query string start_key_doc_id: Alias for `startkey_docid` param

share/doc/src/api/document/common.rst

@@ -247,14 +247,14 @@
   (latest) revision, either by using the ``rev`` parameter or by using the
   :header:`If-Match` header to specify the revision.
 
+  .. note::
+    CouchDB doesn't completely delete the specified document. Instead, it leaves
+    a tombstone with very basic information about the document. The tombstone
+    is required so that the delete action can be replicated across databases.
+
   .. seealso::
     :ref:`Retrieving Deleted Documents <api/doc/retrieving-deleted-documents>`
 
-  .. note::
-    CouchDB doesn't actually delete documents. The reason is the need to track
-    them correctly during the replication process between databases to prevent
-    accidental document recovery for any previous state.
-
   :param db: Database name
   :param docid: Document ID
   :<header Accept: - :mimetype:`application/json`

share/doc/src/config/http.rst

@@ -329,9 +329,12 @@ Secure Socket Level Options
 
   .. config:option:: cacert_file :: CA Certificate file
 
-    Path to file containing PEM encoded CA certificates (trusted certificates
-    used for verifying a peer certificate). May be omitted if you do not want
-    to verify the peer::
+    The path to a file containing PEM encoded CA certificates. The CA
+    certificates are used to build the server certificate chain, and for client
+    authentication. Also the CAs are used in the list of acceptable client CAs
+    passed to the client when a certificate is requested. May be omitted if
+    there is no need to verify the client and if there are not any intermediate
+    CAs for the server certificate::
 
       [ssl]
       cacert_file = /etc/ssl/certs/ca-certificates.crt
@@ -387,6 +390,36 @@ Secure Socket Level Options
       [ssl]
       verify_ssl_certificates = false
 
+  .. config:option:: secure_renegotiate :: Enable secure renegotiation
+
+    Set to `true` to reject renegotiation attempt that does not live up to
+    :rfc:`5746`::
+
+      [ssl]
+      secure_renegotiate = true
+
+    .. versionadded:: 1.7
+
+  .. config:option:: ciphers :: Specify permitted server cipher list
+
+    Set to the cipher suites that should be supported which can be
+    specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}" or
+    in OpenSSL format "ECDHE-ECDSA-AES128-SHA256"::
+
+      [ssl]
+      ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
+
+    .. versionadded:: 1.7
+
+  .. config:option:: tls_versions :: Specify permitted server SSL/TLS protocol versions
+
+    Set to a list of permitted SSL/TLS protocol versions::
+
+      [ssl]
+      tls_versions = [sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2']
+
+    .. versionadded:: 1.7
+
 
 .. _cors:
 .. _config/cors:

share/doc/src/cve/2014-2668.rst

@@ -0,0 +1,54 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+
+.. _cve/2014-2668:
+
+==================================================================================
+CVE-2014-2668: DoS (CPU and memory consumption) via the count parameter to /_uuids
+==================================================================================
+
+:Date: 26.03.2014
+
+:Affected: Apache CouchDB releases up to and including 1.3.1, 1.4.0,
+           and 1.5.0 are vulnerable.
+
+:Severity: Moderate
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+The :ref:`api/server/uuids` resource's `count` query parameter is able to take
+unreasonable huge numeric value which leads to exhaustion of server resources
+(CPU and memory) and to DoS as the result.
+
+Mitigation
+==========
+
+Upgrade to a supported CouchDB release that includes this fix, such as:
+
+- :ref:`1.5.1 <release/1.5.1>`
+- :ref:`1.6.0 <release/1.6.0>`
+
+All listed releases have included a specific fix to
+
+Work-Around
+===========
+
+Disable the :ref:`api/server/uuids` handler completely, by adapting
+`local.ini` and restarting CouchDB::
+
+  [httpd_global_handlers]
+  _uuids =
+