Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-289

Unsanitized input to str format operator

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Trivial - P5
    • Resolution: Fixed
    • Affects Version/s: 2.0.1
    • Fix Version/s: 2.1
    • Component/s: None
    • Labels:
      None
    • # Replies:
      2
    • Last comment by Customer:
      true

      Description

      Error-reporting code in Database.command does not sanitize the string representation of the outgoing command object in the error message.

      This code will raise a ValueError from the failed format rather than an OperationFailure:

      import pymongo
      c = pymongo.Connection()
      db = c.test
      db.command("%")

      This is the offending code, found on line 338 in database.py:

      msg = "command %r failed: %%s" % command

      Replacing this line with the following line will fix the bug:

      msg = "command %s failed: %%s" % repr(command).replace("%", "%%")

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since reply:
                7 years, 11 weeks, 3 days ago
                Date of 1st Reply: