[CDRIVER-1929] mongoc_uri_parse_database() may overlap with URI host component Created: 17/Nov/16  Updated: 03/May/17  Resolved: 14/Mar/17

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: 1.5.0
Fix Version/s: 1.7.0

Type: Bug Priority: Minor - P4
Reporter: Jeremy Mikola Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-1928 "Unknown command error" from authenti... Closed
is related to PHPLIB-174 Document that socket paths must be UR... Closed
Epic Link: C Driver Connection String Spec

 Description   

In PHPLIB-174, a user failed to escape the Unix domain socket path in their connection URI and received an odd exception message when database authentication failed. While reading the server logs, I realized that libmongoc was still connecting via a Unix domain socket, despite the socket path inadvertently getting picked up as uri->database in mongoc-uri.c.

I added some string dumping to mongoc_uri_parse_database() and mongoc_uri_append_host() and determined the following:

URI: mongodb://foo:bar@/tmp/mongodb-27017.sock/admin
HOST: /tmp/mongodb-27017.sock
DATABASE: tmp/mongodb-27017.sock:27017/

Although Unix domain sockets do need to be escaped per the Connection String Specification, I found it odd that libmongoc was able to parse the host properly, but failed to parse the database. Since the order of URI components is clearly defined (e.g. credentials, host list, database, query string), database parsing should start after the host list to ensure that component parsing never overlaps.



 Comments   
Comment by Hannes Magnusson [ 14/Mar/17 ]

Current master now prints:

./mongoc-ping "mongodb://user:pass@/tmp/mongodb-27017.sock/dbname"
2017/03/14 10:55:44.0694: [ 4503]:    DEBUG:      cluster: Authentication failed: Authentication failed.
Ping failure: Authentication failed.

And parsing the uri correctly (or incorrectly, as we should require the path to be encoded):

(gdb) p *cluster->uri
$3 = {
  str = 0x55555577d6c0 "mongodb://user:pass@/tmp/mongodb-27017.sock/dbname", 
  hosts = 0x55555577dc10, 
  username = 0x55555577d700 "user", 
  password = 0x55555577d720 "pass", 
  database = 0x55555577d740 "dbname", 
  options = {
    flags = 3, 
    len = 5, 
    padding =       "\005", '\000' <repeats 118 times>
  }, 
  credentials = {
    flags = 3, 
    len = 5, 
    padding =       "\005", '\000' <repeats 118 times>
  }, 
  read_prefs = 0x55555577d760, 
  read_concern = 0x55555577d8f0, 
  write_concern = 0x55555577da00
}
(gdb) p *cluster->uri->hosts
$4 = {
  next = 0x0, 
  host =     "/tmp/mongodb-27017.sock", '\000' <repeats 41 times>, 
  host_and_port =     "/tmp/mongodb-27017.sock", '\000' <repeats 47 times>, 
  port = 27017, 
  family = 1, 
  padding =     {0x0,
    0x0,
    0x0,
    0x0}
}

Comment by A. Jesse Jiryu Davis [ 17/Jan/17 ]

We haven't implemented the Connection String Spec and its tests yet, when we do let's make sure this is caught and fixed.

Generated at Wed Feb 07 21:13:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.