Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
Fully Compatible
-
ALL
Description
This is a classic syslog "%s" error. We should just pretty much always use "%s" format and then the string we want to log as the next argument, just to make it less tempting for a % sign to creep into the format strings under maintenance.
```src/mongo/db/modules/mongo-enterprise-modules/src/sasl/canon_mongodb_internal.cpp:78:41: error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
utils->seterror(utils->conn, 0, sb.str().c_str());
^~~~~~~~~~~~~~~~```
These get it right:
src/mongo/client/sasl_sspi.cpp:97: utils->seterror(utils->conn, 0, "%s", buffer.c_str());
src/sasl/mongo_sspi.cpp:122: utils->seterror(utils->conn, 0, "%s", buffer.c_str());
The rest get it sort of wrong:
billy@billydev:~/dev/mongodb/mongo$ git grep -E -n '\b(sasl_)?seterror'
src/mongo/client/cyrus_sasl_client_session.cpp:202: sasl_seterror(conn, 0, "No password data provided");
src/mongo/client/cyrus_sasl_client_session.cpp:211: sasl_seterror(conn, 0, sb.str().c_str());
src/mongo/client/sasl_sspi.cpp:114: cparams->utils->seterror(cparams->utils->conn, 0, "getcallback user failed");
src/mongo/client/sasl_sspi.cpp:122: cparams->utils->seterror(cparams->utils->conn, 0, "user callback failed");
src/mongo/client/sasl_sspi.cpp:130: cparams->utils->seterror(cparams->utils->conn, 0, "no @REALM found in username");
src/mongo/client/sasl_sspi.cpp:190: cparams->utils->seterror(cparams->utils->conn, 0, "SSPI: no serverFQDN");
src/mongo/client/sasl_sspi.cpp:255: cparams->utils->seterror(cparams->utils->conn, 0, "SSPI: server message is too short");
src/mongo/client/sasl_sspi.cpp:262: cparams->utils->seterror(
src/mongo/client/sasl_sspi.cpp:458: utils->seterror(utils->conn, 0, "Wrong SSPI version");
src/sasl/canon_mongodb_internal.cpp:62: utils->seterror(utils->conn, 0, "All-whitespace username.");
src/sasl/canon_mongodb_internal.cpp:68: utils->seterror(utils->conn, 0, "Canonicalized username too long.");
src/sasl/canon_mongodb_internal.cpp:78: utils->seterror(utils->conn, 0, sb.str().c_str());
src/sasl/cyrus_sasl_authentication_session.cpp:126: sasl_seterror(conn, 0, errorMsg.str().c_str());
src/sasl/cyrus_sasl_authentication_session.cpp:133: sasl_seterror(conn, 0, sb.str().c_str());
src/sasl/mongo_sspi.cpp:141: sparams->utils->seterror(sparams->utils->conn, 0, "SSPI: no serverFQDN");
src/sasl/mongo_sspi.cpp:184: sparams->utils->seterror(sparams->utils->conn, 0, "SSPI: client unexpectedly sent data");
src/sasl/mongo_sspi.cpp:310: sparams->utils->seterror(
src/sasl/mongo_sspi.cpp:317: sparams->utils->seterror(sparams->utils->conn, 0, "SSPI: wrong security layer from client");
src/sasl/mongo_sspi.cpp:324: sparams->utils->seterror(sparams->utils->conn, 0, "SSPI: no authz name in auth handshake");