[SERVER-19940] ensure find/getmore replData term is protected by a privilege check Created: 13/Aug/15 Updated: 21/Jan/20 Resolved: 04/Sep/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication |
| Affects Version/s: | None |
| Fix Version/s: | 3.1.8 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Eric Milkie | Assignee: | Benety Goh |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Sprint: | RPL 9 (09/18/15) | ||||||||
| Participants: | |||||||||
| Description |
|
As part of liveness detection, the internal replication use of the find and getMore commands can pass a term number as part of the request metadata. In order to prevent lay users from presenting bogus metadata to the server, we need to check that the user running such a find/getMore possesses the same privilege as is required for the other internal replication commands, namely:
|
| Comments |
| Comment by Githook User [ 04/Sep/15 ] |
|
Author: {u'username': u'benety', u'name': u'Benety Goh', u'email': u'benety@mongodb.com'}Message: The term field was added to the find/getMore commands to support replication protocol version 1 and is meant to be used by replica set nodes to communicate metadata to their sync sources. |