[SERVER-34653] don't even parse requiresAuth commands unless client is authenticated - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.0.0, 4.1.1
Component/s: Internal Code
Labels:
- security

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.0, v3.6
Sprint:
Platforms 2018-05-07, Platforms 2018-05-21, Platforms 2018-06-04
Linked BF Score:
45

Description

Most Commands have a requiresAuth()==true condition (the default).
For those commands, we shouldn't parse() their request unless the client is authenticated.

These requests are going to be rejected anyway, so there's no user-visible change, but we could be making the rejection decision more securely and efficiently.

Attachments

Issue Links

causes

SERVER-35382 _isSelf command needs to be marked requiresAuth false

Closed

SERVER-35463 Mark listCommands as pre-auth

Closed

is related to

SERVER-38390 Set requiresAuth to false for certain commands

Closed

related to

SERVER-35463 Mark listCommands as pre-auth

Closed

SERVER-12143 Make some unauthenticated commands require auth

Closed

Activity

People

Assignee:: Billy Donahue

Reporter:: Billy Donahue

Participants:: Billy Donahue, Githook User

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: Apr 24 2018 07:28:04 PM UTC

Updated:: Dec 19 2018 02:35:15 AM UTC

Resolved:: May 31 2018 10:41:07 PM UTC