Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-9476

Don't log entire command obj for authenticate

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 2.5.4
    • 2.4.3
    • Security
    • None
    • ALL

    Description

      Example log line:

      Thu Apr 25 16:35:30.246 [conn1]  authenticate db: test { authenticate: 1, nonce: "ce88504553b16752", user: "z", key: "6deb79af26ebcdd2b2c40438008cb7b0" }

      The log entry has more than enough information for any malicious entity to impersonate a user. And even worse, the log will also display an error if authentication fails, so it is easy to tell which users are valid just by examining the logs.

      Attachments

        Activity

          People

            schwerin@mongodb.com Andy Schwerin
            randolph@mongodb.com Randolph Tan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: