Upgrading to 1.7.1 is important since CVE-2017-12635 is a serious hole.
However, there exist an interim way. Below design doc just rejects .roles
dupes. You can check it putting into any other db first and trying to put
new doc like {"roles":[],"roles":[1]}. If validator is ok, rejection reason
is ‘You can't hack roles’.
{
"_id": "_design/X12635",
"language": "erlang",
"validate_doc_update": "fun ({NewDoc}, OldDoc, UserCtx, SecObj)->\n\t%%
Covers CVE-2017-12635\n\tRoles = proplists:lookup_all(<<\"roles\">>,
NewDoc),\n\tcase length(Roles) < 2 of\n\t\ttrue -> ok;\n\t\tfalse ->
throw({[{<<\"forbidden\">>, <<\"You can’t hack roles,
sorry\">>}]})\n\tend,\n\t1\nend."
}
Since ability to save json with double entry of .roles array is a key of
the 12635 vulnerability, the ddoc seems to fix it, if put into /_users
bucket.
Nothing comes without price: you need to set native_query_servers / erlang
= {couch_native_process, start_link, []} in DB config. Since enabling
erlang might affect security, each case should be carefully assessed.
Although this trick is acceptable if you postponing upgrade to 1.7.1 for
reasons not under your control, I highly recommend upgrade as soon as
possible.
ermouth
