Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-59970

Fix return value from authenticate command

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Code Review
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: 5.0.0
    • Fix Version/s: 5.2 Required
    • Component/s: None
    • Labels:
      None
    • Operating System:
      ALL
    • Backport Requested:
      v5.1, v5.0
    • Sprint:
      Security 2021-11-01

      Description

      Typed command conversion of the {authenticate: 1} command inadvertently swapped the user and db fields resulting in replies like:

       

      $external> db.runCommand({authenticate: 1, mechanism: "MONGODB-X509"})
      {
        dbname: 'OU=Widgets,O=Stuff Inc.,C=US,ST=New York,L=New York City,CN=widget-bob',
        user: '$external',
        ok: 1
      }
      

      This happens here: https://github.com/mongodb/mongo/blob/d5156d91a608a3b7cf30fbdb63a2d31783389a47/src/mongo/db/commands/authentication_commands.cpp#L367

      return AuthenticateReply(session->getUserName().toString(),
                                                  session->getDatabase().toString());
      

      This initializes the reply through two string args to the constructor which inobviously are passed in the wrong order (DB comes first). We can fix this with a 2-line swap:

      return AuthenticateReply(session->getDatabase().toString(),
                                                  session->getUserName().toString());
      

      But a more durable fix which doesn't reply on a generated constructor signature would be to construct by parts:

      AuthenticateReply reply;
      reply.setUser(session->getUserName());
      reply.setDb(session->getDatabase());
      return reply;
      

      This way there's no ambiguity or hard to spot ordering issues.

        Attachments

          Activity

            People

            Assignee:
            sara.golemon Sara Golemon
            Reporter:
            sara.golemon Sara Golemon
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: