[SERVER-17180] Don't create a connection back to ourself in copydb if "fromhost" is missing and credentials provided Created: 04/Feb/15  Updated: 06/Dec/22  Resolved: 10/Sep/18

Status: Closed
Project: Core Server
Component/s: Internal Code, Security, Usability
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Backlog - Security Team
Resolution: Done Votes: 0
Labels: platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PYTHON-832 Re-enable copy_database tests in auth... Closed
Related
is related to SERVER-17034 Deadlock between poorly-formed copydb... Closed
Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 0 03/13/15], Security 1 04/03/15
Participants:

 Description   

Usually if you run "copydb" but do not include a "fromhost" field, we assume you are copying from yourself and use a DBDirectClient instead of a real connection to the source server. If you specify a username/password, however, the driver will likely run copydbgetnonce/copydbsaslstart, which will create an actual connection back to ourself on localhost. Easiest fix is probably to make copydbsaslstart and copydbgetnonce fail if "fromhost" is emtpy, as if you're copying from yourself you shouldn't provide credentials anyway, you should just authenticate your connection to an appropriate user before running copydb.



 Comments   
Comment by Sara Williamson [ 10/Sep/18 ]

Gone away with the removal of copydb.

Generated at Thu Feb 08 03:43:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.