Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-3768

db.addUser() appears in shell history, with cleartext passwords

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.4, 2.1.1
    • Component/s: Security, Shell
    • Labels:
      None

      Description

      See below - I can retrieve my addUser lines with the up arrow.

      Aaron-Staples-MacBook-Pro:mongo aaron$ ./mongo
      MongoDB shell version: 2.0.0-rc2-pre-
      connecting to: test
      > db.addUser( 'aaron', 'mypass' )

      { "n" : 0, "connectionId" : 2, "err" : null, "ok" : 1 }

      {
      "user" : "aaron",
      "readOnly" : false,
      "pwd" : "8c875bb39fcf051edc876c0ee71d5585",
      "_id" : ObjectId("4e668f1dd04af0d2e2b8b83e")
      }
      > db.addUser( 'aaron', 'mypass' ) <<<-------- Got this one by pressing up arrow
      {
      "updatedExisting" : true,
      "n" : 1,
      "connectionId" : 2,
      "err" : null,
      "ok" : 1
      }
      {
      "_id" : ObjectId("4e668f1dd04af0d2e2b8b83e"),
      "user" : "aaron",
      "readOnly" : false,
      "pwd" : "8c875bb39fcf051edc876c0ee71d5585"
      }
      >
      bye
      Aaron-Staples-MacBook-Pro:mongo aaron$ ./mongo
      MongoDB shell version: 2.0.0-rc2-pre-
      connecting to: test
      > db.addUser( 'aaron', 'mypass' ) <<<-------- Got this one by pressing up arrow
      {
      "updatedExisting" : true,
      "n" : 1,
      "connectionId" : 4,
      "err" : null,
      "ok" : 1
      }
      {
      "_id" : ObjectId("4e668f1dd04af0d2e2b8b83e"),
      "user" : "aaron",
      "readOnly" : false,
      "pwd" : "8c875bb39fcf051edc876c0ee71d5585"
      }
      >

        Activity

        Hide
        eliot Eliot Horowitz added a comment -

        should strip from history like .auth()

        Show
        eliot Eliot Horowitz added a comment - should strip from history like .auth()
        Hide
        auto auto (Inactive) added a comment -

        Author:

        {u'login': u'RedBeard0531', u'email': u'mathias@10gen.com', u'name': u'Mathias Stearn'}

        Message: Dont add addUser lines to shell history SERVER-3768
        Branch: master
        https://github.com/mongodb/mongo/commit/88db626c74fac3ee0321f4e28e1f54d15c355fec

        Show
        auto auto (Inactive) added a comment - Author: {u'login': u'RedBeard0531', u'email': u'mathias@10gen.com', u'name': u'Mathias Stearn'} Message: Dont add addUser lines to shell history SERVER-3768 Branch: master https://github.com/mongodb/mongo/commit/88db626c74fac3ee0321f4e28e1f54d15c355fec
        Hide
        auto auto (Inactive) added a comment -

        Author:

        {u'login': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

        Message: Dont add addUser lines to shell history SERVER-3768

        Conflicts:

        shell/dbshell.cpp
        Branch: v2.0
        https://github.com/mongodb/mongo/commit/446f597cf423d62df0b4a6c292b57da1f382649c

        Show
        auto auto (Inactive) added a comment - Author: {u'login': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'} Message: Dont add addUser lines to shell history SERVER-3768 Conflicts: shell/dbshell.cpp Branch: v2.0 https://github.com/mongodb/mongo/commit/446f597cf423d62df0b4a6c292b57da1f382649c

          People

          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since reply:
              3 years, 21 weeks, 2 days ago
              Date of 1st Reply: