[SERVER-3003] Dont allow blank username and password to be added to system.users Created: 26/Apr/11 Updated: 12/Jul/16 Resolved: 03/May/11 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Admin |
| Affects Version/s: | None |
| Fix Version/s: | 1.9.1 |
| Type: | Improvement | Priority: | Trivial - P5 |
| Reporter: | Justin Smestad | Assignee: | Eliot Horowitz (Inactive) |
| Resolution: | Done | Votes: | 1 |
| Labels: | authentication | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
This could cause some really weird behavior to authenticate without a username in place. Also blank passwords get encrypted which also makes it difficult to detect that the password is blank. I would like to see blank fields in .addUser be rejected outright. |
| Comments |
| Comment by Eliot Horowitz (Inactive) [ 03/May/11 ] |
|
Its already hashed at that point, so not really. |
| Comment by Scott Hernandez (Inactive) [ 03/May/11 ] |
|
Shouldn't we check that the password isn't the empty string hashed/encrypted as well? |
| Comment by auto [ 03/May/11 ] |
|
Author: {u'login': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}Message: don't allow blank usernmae or password |