[SERVER-20358] Usernames can contain NULL characters Created: 10/Sep/15  Updated: 18/Nov/16  Resolved: 13/Jan/16

Status: Closed
Project: Core Server
Component/s: Admin, Security
Affects Version/s: 3.1.7
Fix Version/s: 3.0.9, 3.2.3, 3.3.1

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Rahul Dhodapkar
Resolution: Done Votes: 0
Labels: code-and-test
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Minor Change
Operating System: ALL
Backport Completed:
Steps To Reproduce:

> db.createUser(

{user: "user\0\0\0\0", pwd: "test", roles: []}

)
2015-09-10T16:25:11.720-0400 I COMMAND [conn1] command test.$cmd command: createUser { createUser: "user", pwd: "xxx", roles: [], digestPassword: false, writeConcern:

{ w: "majority", wtimeout: 30000.0 }

} ntoreturn:1 ntoskip:0 keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount:

{ r: 4, w: 4 }

}, Database: { acquireCount:

{ W: 4 }

}, Collection: { acquireCount:

{ w: 1 }

} } protocol:op_command 160ms
Successfully added user:

{ "user" : "user\u0000\u0000\u0000\u0000", "roles" : [ ] }

> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "test.user\u0000\u0000\u0000\u0000", "user" : "user\u0000\u0000\u0000\u0000", "db" : "test", "credentials" : { "SCRAM-SHA-1" :

{ "iterationCount" : 10000, "salt" : "KiCV1E3AlJr2QSI7K/DAiw==", "storedKey" : "DGWmOyzDcwVKWHVzhs9VFIH01xQ=", "serverKey" : "ZpyGGNlRUUCgmtXz3Y3oWIJg8Jw=" }

}, "roles" : [ ] }
> use test
switched to db test
> db.auth("user\0\0\0\0", "test")
2015-09-10T16:26:13.987-0400 I ACCESS [conn1] SCRAM-SHA-1 authentication failed for on test from client 127.0.0.1 ; BadValue Incorrect number of arguments for first SCRAM-SHA-1 client message, got 2 expected 4
Error: Authentication failed.
0

Sprint: Security E (01/01/16), Security F (01/29/16)
Participants:

 Description   

It is possible to create usernames which contain NULL characters. It is not possible to log in to these accounts. It seems like if we wanted we could accept these characters. However https://tools.ietf.org/html/rfc5802 defines `value-safe-char`, which is used in the username and authzid, as:

   value-safe-char = %x01-2B / %x2D-3C / %x3E-7F /
                     UTF8-2 / UTF8-3 / UTF8-4
                     ;; UTF8-char except NUL, "=", and ",".

There seem to be no provisions for encoding NULL characters.

The authenticate command seems to have an unrelated bug that manifests itself in the same way.

It seems likely that we do not want to be able to store usernames containing this character.



 Comments   
Comment by Rahul Dhodapkar [ 13/Jan/16 ]

Backported fix.

Comment by Githook User [ 13/Jan/16 ]

Author:

{u'username': u'rahuldhodapkar', u'name': u'rahuldhodapkar', u'email': u'rahul.m.dhodapkar@gmail.com'}

Message: SERVER-20358 prevent creation of users containing NULL characters

(cherry picked from commit 6a46a7c34222329972b6c6b0fae70bc6cd72c2fa)
Branch: v3.0
https://github.com/mongodb/mongo/commit/f8f5dab11c2ed931add8d34e5e5dcc666e1ed5c8

Comment by Githook User [ 13/Jan/16 ]

Author:

{u'username': u'rahuldhodapkar', u'name': u'rahuldhodapkar', u'email': u'rahul.m.dhodapkar@gmail.com'}

Message: SERVER-20358 prevent creation of users containing NULL characters

(cherry picked from commit 6a46a7c34222329972b6c6b0fae70bc6cd72c2fa)
Branch: v3.2
https://github.com/mongodb/mongo/commit/8e63ae06e2487989800e08e3d7e9cbf07ab76274

Comment by Githook User [ 13/Jan/16 ]

Author:

{u'username': u'rahuldhodapkar', u'name': u'rahuldhodapkar', u'email': u'rahul.m.dhodapkar@gmail.com'}

Message: SERVER-20358 prevent creation of users containing NULL characters
Branch: master
https://github.com/mongodb/mongo/commit/6a46a7c34222329972b6c6b0fae70bc6cd72c2fa

Generated at Thu Feb 08 03:53:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.