Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-12969

db.eval should not support load()

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 2.6.0-rc0
    • 2.6.0-rc1
    • JavaScript, Security
    • ALL

    Description

      db.eval allows a user to load a js file via the load() function. This is a potential security risk since it allows the user to instruct the server to read files on the server side.

      Attachments

        Activity

          People

            mark.benvenuto@mongodb.com Mark Benvenuto
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: