[SERVER-12969] db.eval should not support load() - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 2.6.0-rc0
Fix Version/s: 2.6.0-rc1
Component/s: JavaScript, Security
Labels:
- 26qa

Operating System:
ALL

Description

db.eval allows a user to load a js file via the load() function. This is a potential security risk since it allows the user to instruct the server to read files on the server side.

Attachments

Activity

People

Assignee:: Mark Benvenuto

Reporter:: Mark Benvenuto

Participants:: Githook User, Mark Benvenuto

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: Feb 28 2014 09:15:17 PM UTC

Updated:: Jul 11 2016 05:18:21 PM UTC

Resolved:: Mar 04 2014 09:20:09 PM UTC