Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4600

No auth for killCursors command

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major - P3 Major - P3
    • None
    • 2.0.2
    • None
    • None
    • ALL

    Description

      In instance.cpp _assembleResponse(), we attempt to parse out a namespace out of the message data, in order to check for authorization. We do this for dbInsert, dbUpdate, dbDelete, and dbKillCursors.

      All of these commands include the collection name, EXCEPT dbKillCursors. dbKillCursors contains "numberOfCursorIDs" in the position for namespace. Therefore, as long as you pass a cursor count whose int binary representation contains a null byte, nothing bad will happen, other than no authentication occurs.
      If you pass, say, -1 for the cursor count, the server might crash due to not finding a null-terminated string for the namespace. On Windows, you can crash the server in debug mode by running clientTest.exe, which indeed passes -1 as part of a failure scenario test.

      Attachments

        Activity

          People

            schwerin@mongodb.com Andy Schwerin
            milkie@mongodb.com Eric Milkie
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: