[CDRIVER-3012] Authentication attempted after parsing empty username in URI Created: 11/Mar/19  Updated: 28/Oct/23  Resolved: 17/Jun/19

Status: Closed
Project: C Driver
Component/s: auth, libmongoc, uri
Affects Version/s: None
Fix Version/s: 1.15.0

Type: Bug Priority: Minor - P4
Reporter: Jeremy Mikola Assignee: Haris Sheikh (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-1346 Do not allow empty string for username Closed
Related

 Description   

In mongodb/mongo-php-driver#966, a user attempted to connect to the database with the following connection string:

mongodb://@localhost:27017

I believe mongoc_uri_parse_before_slash() parsed this string and yielded an empty string for the username and a null password. As a result, mongoc_cluster_init() later decided that authentication was required due to a non-null username (no auth source was specified). This led to a very cryptic "Authentication failed." error message from the server. I assume the "@" was a typo, as the user originally reported that they were not using authentication.

I'm not sure if there is any valid use case where an empty username would be accepted by the server. If not, perhaps we can consider adding some validation around this to raise a client-side error during URI parsing – or at least not decide to require auth if username is an empty string.



 Comments   
Comment by Githook User [ 14/Jun/19 ]

Author:

{'name': 'Haris Sheikh', 'email': 'harissheikh@Hariss-MacBook-Pro.local'}

Message: CDRIVER-3012 updated uri functions to not accept the empty string as a username
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/ef2a50a71482318861d35efe59317d47dd53ceef

Generated at Wed Feb 07 21:16:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.