PHP Driver
  1. PHP Driver
  2. PHP-426

Connection pool not paying attention to authentication when using replicaSet=true

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical - P2 Critical - P2
    • Resolution: Fixed
    • Affects Version/s: 1.2.10
    • Fix Version/s: 1.3.0RC1
    • Component/s: Connection
    • Labels:
    • Environment:
      Redhat
    • Operating System:
      ALL
    • # Replies:
      5
    • Last comment by Customer:
      true

      Description

      When connecting to a replicaSet using replicaSet=true, the connection pool does not pay attention to the validity of the connection and reuses invalid connections or unauthenticated connections.

      Steps to reproduce:
      1) Make a few valid connections to a replicaSet using the replicaSet=true connection parameter. This will fill the connection pool with valid connections.
      2) Modify the password in your connection string to be invalid.
      3) Attempt to connect again. Even though you have the wrong password, you can jump on an old persistent connection and still use it.

      This obviously has security consequences. It is possible for an unprivileged user to access the database even if they do not have the password because they can reuse a persistent connection from the pool.

      This has other negative consequences. If a connection fails for some reason, that invalid connection is still in the pool and will give errors to anyone that uses it.

        Activity

        Hide
        Hannes Magnusson
        added a comment -

        This is still an issue in 1.3.0beta2.
        The second get_user() call in this testcase should fail, but doesn't.

        --TEST--
        Test for PHP-426: Connection pool not paying attention to authentication when using replicaSet=true
        --SKIPIF--
        <?php require_once dirname(__FILE__) . "/skipif.inc"; ?>
        --FILE--
        <?php
        require_once dirname(__FILE__) . "/../utils.inc";
        
        function get_user($m, $username) {
            $db = $m->selectDB(dbname());
            $c = $db->selectCollection("system.users");
        
            return $c->findOne(array("user" => $username));
        }
        
        
        $m = mongo("admin");
        var_dump(get_user($m, username()));
        
        $password = password("admin");
        // Intentionally supply wrong password to test we don't get a valid connection back
        $REPLICASET_AUTH_ADMIN_PASSWORD = $STANDALONE_AUTH_ADMIN_PASSWORD = "THIS-PASSWORD-IS-WRONG";
        
        $m = mongo("admin");
        var_dump(get_user($m, username()));
        
        ?>
        
        Show
        Hannes Magnusson
        added a comment - This is still an issue in 1.3.0beta2. The second get_user() call in this testcase should fail, but doesn't. --TEST-- Test for PHP-426: Connection pool not paying attention to authentication when using replicaSet=true --SKIPIF-- <?php require_once dirname(__FILE__) . "/skipif.inc"; ?> --FILE-- <?php require_once dirname(__FILE__) . "/../utils.inc"; function get_user($m, $username) { $db = $m->selectDB(dbname()); $c = $db->selectCollection("system.users"); return $c->findOne(array("user" => $username)); } $m = mongo("admin"); var_dump(get_user($m, username())); $password = password("admin"); // Intentionally supply wrong password to test we don't get a valid connection back $REPLICASET_AUTH_ADMIN_PASSWORD = $STANDALONE_AUTH_ADMIN_PASSWORD = "THIS-PASSWORD-IS-WRONG"; $m = mongo("admin"); var_dump(get_user($m, username())); ?>
        Hide
        auto
        added a comment -

        Author:

        {u'date': u'2012-09-10T07:33:20-07:00', u'name': u'Derick Rethans', u'email': u'github@derickrethans.nl'}

        Message: Fixed PHP-426: Connection pool not paying attention to authentication when using replicaSet=true.
        Branch: master
        https://github.com/mongodb/mongo-php-driver/commit/227127da6d9490490567bbcc97e83ebf3de06a40

        Show
        auto
        added a comment - Author: {u'date': u'2012-09-10T07:33:20-07:00', u'name': u'Derick Rethans', u'email': u'github@derickrethans.nl'} Message: Fixed PHP-426 : Connection pool not paying attention to authentication when using replicaSet=true. Branch: master https://github.com/mongodb/mongo-php-driver/commit/227127da6d9490490567bbcc97e83ebf3de06a40
        Hide
        auto
        added a comment -

        Author:

        {u'date': u'2012-09-10T07:33:20-07:00', u'email': u'github@derickrethans.nl', u'name': u'Derick Rethans'}

        Message: Fixed PHP-426: Connection pool not paying attention to authentication when using replicaSet=true.
        Branch: master
        https://github.com/mongodb/mongo-php-driver/commit/dc76b791e33beb3b04680b7b315519166e9fe063

        Show
        auto
        added a comment - Author: {u'date': u'2012-09-10T07:33:20-07:00', u'email': u'github@derickrethans.nl', u'name': u'Derick Rethans'} Message: Fixed PHP-426 : Connection pool not paying attention to authentication when using replicaSet=true. Branch: master https://github.com/mongodb/mongo-php-driver/commit/dc76b791e33beb3b04680b7b315519166e9fe063
        Hide
        Githook User
        added a comment -

        Author:

        {u'username': u'jmikola', u'name': u'Jeremy Mikola', u'email': u'jmikola@gmail.com'}

        Message: Fix PHP-426 test for mongod 2.5.x

        Querying system.users is not reliable since the server API changes in 2.5.x. Instead, we can simply query a collection to test if the connection was successfully established.
        Branch: v1.4
        https://github.com/mongodb/mongo-php-driver/commit/f201fee50d24315758bb78e905dd4f7531de5c56

        Show
        Githook User
        added a comment - Author: {u'username': u'jmikola', u'name': u'Jeremy Mikola', u'email': u'jmikola@gmail.com'} Message: Fix PHP-426 test for mongod 2.5.x Querying system.users is not reliable since the server API changes in 2.5.x. Instead, we can simply query a collection to test if the connection was successfully established. Branch: v1.4 https://github.com/mongodb/mongo-php-driver/commit/f201fee50d24315758bb78e905dd4f7531de5c56
        Hide
        Githook User
        added a comment -

        Author:

        {u'username': u'jmikola', u'name': u'Jeremy Mikola', u'email': u'jmikola@gmail.com'}

        Message: Fix PHP-426 test for mongod 2.5.x

        Querying system.users is not reliable since the server API changes in 2.5.x. Instead, we can simply query a collection to test if the connection was successfully established.
        Branch: master
        https://github.com/mongodb/mongo-php-driver/commit/f201fee50d24315758bb78e905dd4f7531de5c56

        Show
        Githook User
        added a comment - Author: {u'username': u'jmikola', u'name': u'Jeremy Mikola', u'email': u'jmikola@gmail.com'} Message: Fix PHP-426 test for mongod 2.5.x Querying system.users is not reliable since the server API changes in 2.5.x. Instead, we can simply query a collection to test if the connection was successfully established. Branch: master https://github.com/mongodb/mongo-php-driver/commit/f201fee50d24315758bb78e905dd4f7531de5c56

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since reply:
              11 weeks ago
              Date of 1st Reply: