Configurable upper bound to _uuids count parameter

3 files changed, 11 insertions, 0 deletions

diff --git a/etc/couchdb/default.ini.tpl.in b/etc/couchdb/default.ini.tpl.in
index 3267001ae..5b366685a 100644
--- a/etc/couchdb/default.ini.tpl.in
+++ b/etc/couchdb/default.ini.tpl.in
@@ -215,6 +215,8 @@ algorithm = sequential
 ; The utc_id_suffix value will be appended to uuids generated by the utc_id algorithm.
 ; Replicating instances should have unique utc_id_suffix values to ensure uniqueness of utc_id ids.
 utc_id_suffix =
+# Maximum number of UUIDs retrievable from /_uuids in a single request
+max_count = 1000
 
 [stats]
 ; rate is in milliseconds
diff --git a/share/www/script/test/uuids.js b/share/www/script/test/uuids.js
index 6f5d223a6..0f141a905 100644
--- a/share/www/script/test/uuids.js
+++ b/share/www/script/test/uuids.js
@@ -80,6 +80,10 @@ couchTests.uuids = function(debug) {
     }
   };
 
+  // test max_uuid_count
+  var xhr = CouchDB.request("GET", "/_uuids?count=1001");
+  TEquals(401, xhr.status, "should error when count > max_count");
+
   run_on_modified_server([{
       "section": "uuids",
       "key": "algorithm",
diff --git a/src/couchdb/couch_httpd_misc_handlers.erl b/src/couchdb/couch_httpd_misc_handlers.erl
index 96a05c6d6..67e3a122a 100644
--- a/src/couchdb/couch_httpd_misc_handlers.erl
+++ b/src/couchdb/couch_httpd_misc_handlers.erl
@@ -105,7 +105,12 @@ handle_restart_req(Req) ->
 
 
 handle_uuids_req(#httpd{method='GET'}=Req) ->
+    Max = list_to_integer(couch_config:get("uuids","max","1000")),
     Count = list_to_integer(couch_httpd:qs_value(Req, "count", "1")),
+    case Count > Max of
+        true -> throw({forbidden, <<"count parameter too large">>});
+        false -> ok
+    end,
     UUIDs = [couch_uuids:new() || _ <- lists:seq(1, Count)],
     Etag = couch_httpd:make_etag(UUIDs),
     couch_httpd:etag_respond(Req, Etag, fun() ->