Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-9476

Don't log entire command obj for authenticate

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.5.4
    • Affects Version/s: 2.4.3
    • Component/s: Security
    • Labels:
      None
    • ALL

      Example log line:

      Thu Apr 25 16:35:30.246 [conn1]  authenticate db: test { authenticate: 1, nonce: "ce88504553b16752", user: "z", key: "6deb79af26ebcdd2b2c40438008cb7b0" }

      The log entry has more than enough information for any malicious entity to impersonate a user. And even worse, the log will also display an error if authentication fails, so it is easy to tell which users are valid just by examining the logs.

            Assignee:
            schwerin@mongodb.com Andy Schwerin
            Reporter:
            randolph@mongodb.com Randolph Tan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: