[SERVER-20362] JS Scopes may leak between synthetic users with '@' in name and database Created: 10/Sep/15 Updated: 13/Feb/20 Resolved: 13/Feb/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | JavaScript |
| Affects Version/s: | 3.1.7 |
| Fix Version/s: | 4.3.1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Sara Golemon |
| Resolution: | Done | Votes: | 0 |
| Labels: | spidermonkey | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
|||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | |||||||||||||||||||||
| Operating System: | ALL | |||||||||||||||||||||
| Steps To Reproduce: | Create two users: In window 1:
In window 2:
Back in the first window:
Mongod will print "B". |
|||||||||||||||||||||
| Sprint: | Security 15 (06/03/16), Security 2020-02-10, Security 2020-02-24 | |||||||||||||||||||||
| Participants: | ||||||||||||||||||||||
| Description |
|
The ScopePool identifies the scope it should acquire from its map by creating a key with the following structure:
As '@' is a legal character in both <user> and <db>, it is possible to construct two users so as to cause a collision. |
| Comments |
| Comment by Sara Golemon [ 13/Feb/20 ] |
|
This was fixed by |
| Comment by Mira Carey [ 15/Sep/15 ] |
|
After a little digging, this actually comes down to the way we make userTokens in AuthorizationSession::getAuthenticatedUserNamesToken. Basically, we store user@db in the mongo::UserName, along with the index of the split point, but we lose it when building up the authenticated user names token. This probably needs a lower lying auth ticket to actually get fixed. |