[CDRIVER-530] SASL version check does not do what you think it does Created: 17/Feb/15 Updated: 08/Jan/24 Resolved: 08/Jun/15 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | auth, Build, libmongoc |
| Affects Version/s: | 1.1.0 |
| Fix Version/s: | 1.2-beta0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ryan Schmidt | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Description |
|
mongo-c-driver 1.1.0 (and the latest code in the repository also) contains the file src/mongoc/mongoc-sasl.c with this code intended to only call the function sasl_client_done on SASL version 2.1.24 or greater:
This code is clearly completely wrong. What will happen if the SASL version is 2.2.0? or 3.0.0? (sasl_client_done will not be called, though you would want it to be.) Another problem: you're checking the SASL version at compile time. What if the version of SASL at compile time is different from the SASL version at runtime? |
| Comments |
| Comment by Githook User [ 05/Aug/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: |
| Comment by Githook User [ 05/Aug/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: |
| Comment by Githook User [ 12/Jun/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@emptysquare.net'}Message: Merge pull request #238 from ajdavis/ C Driver SASL fixes |
| Comment by Githook User [ 12/Jun/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: |
| Comment by Githook User [ 12/Jun/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: |
| Comment by Githook User [ 12/Jun/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: |
| Comment by Githook User [ 05/Jun/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: |
| Comment by Githook User [ 05/Jun/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: |
| Comment by Mira Carey [ 26/Feb/15 ] |
|
Hi, The version check is certainly sloppy, thanks for pointing that out. We'll definitely want to disambiguate it for a future release. I don't think this can be a bug today (we require a min version of 2.1.6, and 2.1.26 is the latest cyrus sasl release from 3 years ago), and looking closely, I think we may just be doing this entirely wrong (sasl_client_done unloads global plugins... we probably shouldn't be doing that on a per connection basis). So I'm going to open a new ticket to check on that functionality that I'll have this ticket depend on. Regards, |