Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 4.3.1
Affects Version/s: 3.1.7
Component/s: JavaScript
Labels:
- spidermonkey

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:
Hide

Create two users:
The first shall be named 'x@y' and will exist on 'z'.
The second shall be named 'x' and will exist on 'y@z'.

In window 1:

> use z switched to db z > db.createUser({user: "x@y", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x@y", "roles" : [ ] } > db.auth("x@y", "pwd") 1 > use dbx switched to db dbx

In window 2:

> use y@z switched to db y@z > db.createUser({user: "x", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x", "roles" : [ ] } > db.auth("x", "pwd") 2015-09-10T17:51:49.902-0400 I ACCESS [conn1] Successfully authenticated as principal x on y@z 1 > use dbx switched to db dbx > db.col.insert({}) WriteResult({ "nInserted" : 1 }) > db.col.find({$where: "globalThing = \"B\"; return true"})

Back in the first window:

db.col.find({$where: "print(globalThing); globalThing = \"A\"; return true"})

Mongod will print "B".
Show
Create two users: The first shall be named 'x@y' and will exist on 'z'. The second shall be named 'x' and will exist on 'y@z'. In window 1: > use z switched to db z > db.createUser({user: "x@y", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x@y", "roles" : [ ] } > db.auth("x@y", "pwd") 1 > use dbx switched to db dbx In window 2: > use y@z switched to db y@z > db.createUser({user: "x", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x", "roles" : [ ] } > db.auth("x", "pwd") 2015-09-10T17:51:49.902-0400 I ACCESS [conn1] Successfully authenticated as principal x on y@z 1 > use dbx switched to db dbx > db.col.insert({}) WriteResult({ "nInserted" : 1 }) > db.col.find({$where: "globalThing = \"B\"; return true"}) Back in the first window: db.col.find({$where: "print(globalThing); globalThing = \"A\"; return true"}) Mongod will print "B".
Sprint:
Security 15 (06/03/16), Security 2020-02-10, Security 2020-02-24
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The ScopePool identifies the scope it should acquire from its map by creating a key with the following structure:

<db><JSOperation>[\0<user>@<db>]

As '@' is a legal character in both <user> and <db>, it is possible to construct two users so as to cause a collision.

related to

SERVER-20365 "authentication failed, storedKey mismatch" on synthetic users and databases with '@'

Closed

SERVER-20558 AuthorizationSession::getAuthenticatedUserNamesToken should produce opaque comparable objects

Closed

Assignee:: Sara Golemon (Inactive)
Reporter:: Spencer Jackson
Participants:: Mira Carey, Sara Golemon, Spencer Jackson
Votes:: 0 Vote for this issue
Watchers:: 9 Start watching this issue

Created:: Sep 10 2015 10:11:24 PM UTC
Updated:: Feb 13 2020 03:35:58 PM UTC
Resolved:: Feb 13 2020 03:35:58 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates