[SERVER-13427] Shell should verify that user password is a string during user creation Created: 31/Mar/14 Updated: 24/Sep/14 Resolved: 03/Apr/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Shell |
| Affects Version/s: | 2.4.9, 2.6.0-rc2 |
| Fix Version/s: | 2.7.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Minor Change | ||||
| Participants: | |||||
| Description |
|
If the shell blindly accepts the password without checking the type, it will pass it into the md5 function which will coerce the password into a string. This could make it impossible to authenticate later if you are using an authentication mechanism where the password is digested server-side. |
| Comments |
| Comment by Githook User [ 03/Apr/14 ] |
|
Author: {u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}Message: |