Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34003

passwords are not redacted from unrecognized commands

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.0
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • Platforms 2018-04-09, Platforms 2018-04-23, Platforms 2018-05-07

      if I run the createUse command as opposed to createUser:

      db.runCommand({ createUse: "foo" , pwd: "secret"})

      I get no less then three copies of the password in the log:

      [gabriel@earthshaker mongo-linux]$ ./mongod -vvvvv 2>&1 | grep secret                                                                                                                                                                                                                       
      2018-03-20T12:57:06.470-0400 D -        [conn1] User Assertion: CommandNotFound: no such command: 'createUse', bad cmd: '{ createUse: "foo", pwd: "secret", $db: "test" }' src/mongo/db/service_entry_point_common.cpp 844                                                                  
      2018-03-20T12:57:06.470-0400 D COMMAND  [conn1] assertion while executing command 'createUse' on database 'test': CommandNotFound: no such command: 'createUse', bad cmd: '{ createUse: "foo", pwd: "secret", $db: "test" }'                                                                
      2018-03-20T12:57:06.470-0400 I COMMAND  [conn1] command test.$cmd appName: "MongoDB Shell" command: { createUse: "foo", pwd: "secret", $db: "test" } numYields:0 ok:0 errMsg:"no such command: 'createUse', bad cmd: '{ createUse: \"foo\", pwd: \"secret\", $db: \"test\" }'" errName:CommandNotFound errCode:59 reslen:187 locks:{} protocol:op_msg 0ms          

            billy.donahue@mongodb.com Billy Donahue
            gabriel.russell@mongodb.com Gabriel Russell (Inactive)
            0 Vote for this issue
            8 Start watching this issue