Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-289

Unsanitized input to str format operator

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Trivial - P5
    • Resolution: Fixed
    • 2.0.1
    • 2.1
    • None
    • None

    Description

      Error-reporting code in Database.command does not sanitize the string representation of the outgoing command object in the error message.

      This code will raise a ValueError from the failed format rather than an OperationFailure:

      import pymongo
      c = pymongo.Connection()
      db = c.test
      db.command("%")

      This is the offending code, found on line 338 in database.py:

      msg = "command %r failed: %%s" % command

      Replacing this line with the following line will fix the bug:

      msg = "command %s failed: %%s" % repr(command).replace("%", "%%")

      Attachments

        Activity

          People

            bernie@mongodb.com Bernie Hackett
            murarth Murarth
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: