[SERVER-12969] db.eval should not support load() Created: 28/Feb/14  Updated: 11/Jul/16  Resolved: 04/Mar/14

Status: Closed
Project: Core Server
Component/s: JavaScript, Security
Affects Version/s: 2.6.0-rc0
Fix Version/s: 2.6.0-rc1

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Done Votes: 1
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Participants:

 Description   

db.eval allows a user to load a js file via the load() function. This is a potential security risk since it allows the user to instruct the server to read files on the server side.



 Comments   
Comment by Githook User [ 04/Mar/14 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-12969: db.eval should not support load()
Branch: master
https://github.com/mongodb/mongo/commit/f937093d1817c50ddc2752b08929a9acfe8e6e29

Generated at Thu Feb 08 03:30:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.