[SERVER-17180] Don't create a connection back to ourself in copydb if "fromhost" is missing and credentials provided Created: 04/Feb/15 Updated: 06/Dec/22 Resolved: 10/Sep/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Code, Security, Usability |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Backlog - Security Team |
| Resolution: | Done | Votes: | 0 |
| Labels: | platforms-re-triaged | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Sprint: | Security 0 03/13/15], Security 1 04/03/15 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Usually if you run "copydb" but do not include a "fromhost" field, we assume you are copying from yourself and use a DBDirectClient instead of a real connection to the source server. If you specify a username/password, however, the driver will likely run copydbgetnonce/copydbsaslstart, which will create an actual connection back to ourself on localhost. Easiest fix is probably to make copydbsaslstart and copydbgetnonce fail if "fromhost" is emtpy, as if you're copying from yourself you shouldn't provide credentials anyway, you should just authenticate your connection to an appropriate user before running copydb. |
| Comments |
| Comment by Sara Williamson [ 10/Sep/18 ] |
|
Gone away with the removal of copydb. |