[SERVER-20358] Usernames can contain NULL characters Created: 10/Sep/15 Updated: 18/Nov/16 Resolved: 13/Jan/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Admin, Security |
| Affects Version/s: | 3.1.7 |
| Fix Version/s: | 3.0.9, 3.2.3, 3.3.1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Rahul Dhodapkar |
| Resolution: | Done | Votes: | 0 |
| Labels: | code-and-test | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Minor Change |
| Operating System: | ALL |
| Backport Completed: | |
| Steps To Reproduce: | > db.createUser( {user: "user\0\0\0\0", pwd: "test", roles: []}) } ntoreturn:1 ntoskip:0 keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 }}, Database: { acquireCount: { W: 4 }}, Collection: { acquireCount: { w: 1 } } } protocol:op_command 160ms > use admin }, "roles" : [ ] } |
| Sprint: | Security E (01/01/16), Security F (01/29/16) |
| Participants: |
| Description |
|
It is possible to create usernames which contain NULL characters. It is not possible to log in to these accounts. It seems like if we wanted we could accept these characters. However https://tools.ietf.org/html/rfc5802 defines `value-safe-char`, which is used in the username and authzid, as:
There seem to be no provisions for encoding NULL characters. The authenticate command seems to have an unrelated bug that manifests itself in the same way. It seems likely that we do not want to be able to store usernames containing this character. |
| Comments |
| Comment by Rahul Dhodapkar [ 13/Jan/16 ] |
|
Backported fix. |
| Comment by Githook User [ 13/Jan/16 ] |
|
Author: {u'username': u'rahuldhodapkar', u'name': u'rahuldhodapkar', u'email': u'rahul.m.dhodapkar@gmail.com'}Message: (cherry picked from commit 6a46a7c34222329972b6c6b0fae70bc6cd72c2fa) |
| Comment by Githook User [ 13/Jan/16 ] |
|
Author: {u'username': u'rahuldhodapkar', u'name': u'rahuldhodapkar', u'email': u'rahul.m.dhodapkar@gmail.com'}Message: (cherry picked from commit 6a46a7c34222329972b6c6b0fae70bc6cd72c2fa) |
| Comment by Githook User [ 13/Jan/16 ] |
|
Author: {u'username': u'rahuldhodapkar', u'name': u'rahuldhodapkar', u'email': u'rahul.m.dhodapkar@gmail.com'}Message: |