[SERVER-9609] Ensure users can only call getMore on cursors they created - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.5.5
Component/s: Querying, Security
Labels:
None

Backwards Compatibility:
Minor Change
Sprint:
Query 2017-03-27

Description

A ClientCursor should be associated with the set of users that were authenticated when it was created. A getMore should only succeed if the intersection of currently authenticated users and the set of users associated with the ClientCursor is nonempty (or the set of users associated with the ClientCursor is empty).

Attachments

Issue Links

is documented by

DOCS-10023 Docs for SERVER-9609: Ensure users can only call getMore on cursors they created

Closed

related to

SERVER-20364 Cursor is not closed when querying system.profile collection with clusterMonitor role

Closed

SERVER-27899 Privilege problems with aggregation

Closed

SERVER-17856 users on mongods should always be able to run currentOp and killOp on their own operations

Closed

SERVER-28260 Create a killAnyCursor privilege

Closed

SERVER-8369 kill cursor of an internal only ClientCursor used for yielding could cause memory corruption

Closed

(1 related to)

Activity

People

Assignee:: Tess Avitabile (Inactive)

Reporter:: Andy Schwerin

Participants:: Andy Schwerin, Githook User, Jared D. Cottrell, Tess Avitabile

Votes:: 1 Vote for this issue

Watchers:: 14 Start watching this issue

Dates

Created:: May 07 2013 08:25:53 PM UTC

Updated:: Feb 12 2018 03:50:22 PM UTC

Resolved:: Mar 22 2017 05:10:47 PM UTC