Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-4588

Connection string parser allows invalid passwords, prints passwords

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 4.9
    • Affects Version/s: None
    • Component/s: None
    • None
    • Python Drivers
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      Traceback (most recent call last):
        File "<stdin>", line 1, in <module>
        File "/Users/khalen.fredieu/tools/triage-scripts/triage_scripts/lib/python3.8/site-packages/pymongo/mongo_client.py", line 774, in __init__
          res = uri_parser.parse_uri(
        File "/Users/khalen.fredieu/tools/triage-scripts/triage_scripts/lib/python3.8/site-packages/pymongo/uri_parser.py", line 568, in parse_uri
          nodes = split_hosts(hosts, default_port=default_port)
        File "/Users/khalen.fredieu/tools/triage-scripts/triage_scripts/lib/python3.8/site-packages/pymongo/uri_parser.py", line 381, in split_hosts
          nodes.append(parse_host(entity, port))
        File "/Users/khalen.fredieu/tools/triage-scripts/triage_scripts/lib/python3.8/site-packages/pymongo/uri_parser.py", line 147, in parse_host
          raise ValueError(f"Port must be an integer between 0 and 65535: {port!r}")
      ValueError: Port must be an integer between 0 and 65535: 'pass' 

      Detailed steps to reproduce the problem?

      1. Instantiate a MongoClient with a connection string featuring a user:password, but have the password end in a forward slash
      2. MongoClient("mongodb://user:pass/@localhost:27017") 

      Passwords are often changed manually, this bug was revealed after a manual password change led to the traceback above, and a password was printed to application logs. 

      Definition of done: what must be done to consider the task complete?

      Avoid parsing passwords which have not been percent-encoded one would assume the parser should fail when it observes a malformed password. Alternatively, do not print potential password values in exceptions. 

      The exact Python version used, with patch level:

      3.8.0 (v3.8.0:fa919fdf25, Oct 14 2019, 10:23:27) }}{{[Clang 6.0 (clang-600.0.57)]

      The exact version of PyMongo used, with patch level:

      4.8.0, }}{{True

      Describe how MongoDB is set up. Local vs Hosted, version, topology, load balanced, etc.

      Local, replica set, 3 nodes.

      The operating system and version (e.g. Windows 7, OSX 10.8, ...)

      Mac OS Sonoma 14.5

      Web framework or asynchronous network library used, if any, with version (e.g. Django 1.7, mod_wsgi 4.3.0, gevent 1.0.1, Tornado 4.0.2, ...)

      N/A

      Security Vulnerabilities

      If you’ve identified a security vulnerability in a driver or any other MongoDB project, please report it according to the instructions here

            Assignee:
            shane.harvey@mongodb.com Shane Harvey
            Reporter:
            khalen.fredieu@mongodb.com Khalen Fredieu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: