[SERVER-18046] security.javascriptEnabled allows aggregation with $group stage Created: 14/Apr/15 Updated: 15/Apr/15 Resolved: 14/Apr/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | JavaScript, Security |
| Affects Version/s: | 2.6.5 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Salim B. | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: | Set javascriptEnabled to false, restart all servers in replica set, and try to execute a JS job. |
||||||||
| Participants: | |||||||||
| Description |
|
Hi all ! I'm currently using MongoDB from EPEL7 repos (version 2.6.5) and on RHEL7 (replica set deployment). I've changed the default configuration file to switch to the YAML format and set the "javascriptEnabled" to false, which seems to have no effect. From mongod logs, I checked that parameter is read :
Then, we tried this JS function :
and got a result. |
| Comments |
| Comment by Salim B. [ 14/Apr/15 ] |
|
My bad, we used that group() function and got the expected result. |
| Comment by Ramon Fernandez Marina [ 14/Apr/15 ] |
|
sboulkour, the operation you posted is not db.collection.group() (which requires JavaScript) but db.collection.aggregate() with a $group pipeline stage, which does not require JavaScript. Regards, |