-
Type: Task
-
Resolution: Done
-
Priority: Trivial - P5
-
Affects Version/s: None
-
Component/s: Server
-
Labels:None
-
Environment:Linux
Running a JS script with
mongo --shell <malicious_script.js>
can set the EDITOR variable which is used to launch an editor via the edit command. Because edit just forks off a process with the command string of "<EDITOR value> <temp filename>" if the EDITOR is set to, say, rm -rf ~/, bad things can happen.
Programs that make use of the EDITOR environment variable all operate the same way (and by that I mean, they don't check to see if the value is actually an editor...because well they can't really). I propose clearly documenting mongo is no different in this regard and to warn users to be careful that scripts they run in the shell can modify the EDITOR variable.
Another possibility is clearing out the EDITOR JS variable after any script is run.
- is related to
-
DOCS-79 Document Security and Authentication
- Closed
- related to
-
SERVER-3787 'edit' command in shell
- Closed