Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3012

Authentication attempted after parsing empty username in URI

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Minor - P4 Minor - P4
    • 1.15.0
    • Affects Version/s: None
    • Component/s: auth, libmongoc, uri
    • Labels:
      None

      In mongodb/mongo-php-driver#966, a user attempted to connect to the database with the following connection string:

      mongodb://@localhost:27017

      I believe mongoc_uri_parse_before_slash() parsed this string and yielded an empty string for the username and a null password. As a result, mongoc_cluster_init() later decided that authentication was required due to a non-null username (no auth source was specified). This led to a very cryptic "Authentication failed." error message from the server. I assume the "@" was a typo, as the user originally reported that they were not using authentication.

      I'm not sure if there is any valid use case where an empty username would be accepted by the server. If not, perhaps we can consider adding some validation around this to raise a client-side error during URI parsing – or at least not decide to require auth if username is an empty string.

            Assignee:
            haris.sheikh@mongodb.com Haris Sheikh (Inactive)
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: