[SERVER-26585] mongo shell does not URL-decode password from connection URI Created: 11/Oct/16  Updated: 21/Mar/18  Resolved: 27/Feb/18

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: David Percy Assignee: Sara Golemon
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

I was trying to connect to a mongod with a password that happens to contain special characters. These special characters are supposed to be URL-encoded in the connection URI. For example, if the password is pass%word the connection URI should be mongodb://root:pass%25word@localhost:27017/test.

Using db.auth shows that the password contains a special character:

/tmp/repro % mongo
MongoDB shell version: 3.2.10
connecting to: test
> db.auth('root', 'pass%word')
1
>
bye

The shell accepts this incorrect connection URI:

/tmp/repro % mongo 'mongodb://root:pass%word@localhost:27017/test'
MongoDB shell version: 3.2.10
connecting to: mongodb://root:pass%word@localhost:27017/test
>
bye

The shell does not accept this correct connection URI:

/tmp/repro % mongo 'mongodb://root:pass%25word@localhost:27017/test'
MongoDB shell version: 3.2.10
connecting to: mongodb://root:pass%25word@localhost:27017/test
2016-10-11T17:43:25.421-0400 E QUERY    [thread1] Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:223:14
@(connect):1:6
 
exception: connect failed

Relevant part of the connection URI spec:

4. Validate, split (if applicable), and URL decode the user information.

https://github.com/mongodb/specifications/blob/master/source/connection-string/connection-string-spec.rst#reference-implementation



 Comments   
Comment by Sara Golemon [ 27/Feb/18 ]

As stated earlier, this functionality is present in 3.4 and later.

Comment by Chibuikem Amaechi [ 22/Jan/18 ]

No prob. If no further work is needed on my end, I'll leave this ticket alone.

- Chibuikem. A

Comment by Sara Golemon [ 22/Jan/18 ]

Oh! My bad, I didn't notice you were different people.
Sorry about that!

Comment by Chibuikem Amaechi [ 22/Jan/18 ]

Hi Sara,

I believe it was David Percy who reported this issue, I'm just a contributor who happened to come across this ticket and decided to take a look into it.

Comment by Sara Golemon [ 22/Jan/18 ]

Hi, thanks for pointing this out!

As background, the mongodb:// URI parser was heavily refactored in 3.6.0 and that refactor has already been backported to the soon to be released 3.4.11. Unfortunately, bringing that fix to 3.2 raises an unacceptable level of complexity for a stable release, so we opted not to go that far.

Your proposed fix is probably safe enough, though it's also a bit more blunt than the problem calls for. I'll look into the feasibility of applying just the uri decode portions of the mongodb:// uri parser rewrite to the v3.2 branch.

In the mean time, if there's any way you can use the 3.6 client (it won't require upgrading your servers), that version is ready to go now and will behave the way you want.

Comment by Chibuikem Amaechi [ 13/Jan/18 ]

My proposed change would be to add the following fragment of code inside the
function expression: function(url, user, pass) in mongo/src/mongo/shell/mongo.js:

try {
    url = decodeURI(url);          
} 
catch (e) {
    throw Error(e.name + ": Some characters in connection string cannot be URI decoded.");
}

Please share your thoughts.

Generated at Thu Feb 08 04:12:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.