[SERVER-3003] Dont allow blank username and password to be added to system.users Created: 26/Apr/11  Updated: 12/Jul/16  Resolved: 03/May/11

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: None
Fix Version/s: 1.9.1

Type: Improvement Priority: Trivial - P5
Reporter: Justin Smestad Assignee: Eliot Horowitz (Inactive)
Resolution: Done Votes: 1
Labels: authentication
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-3095 Need to specify a minimum password le... Closed
Backwards Compatibility: Fully Compatible
Participants:

 Description   

This could cause some really weird behavior to authenticate without a username in place. Also blank passwords get encrypted which also makes it difficult to detect that the password is blank. I would like to see blank fields in .addUser be rejected outright.



 Comments   
Comment by Eliot Horowitz (Inactive) [ 03/May/11 ]

Its already hashed at that point, so not really.

Comment by Scott Hernandez (Inactive) [ 03/May/11 ]

Shouldn't we check that the password isn't the empty string hashed/encrypted as well?

Comment by auto [ 03/May/11 ]

Author:

{u'login': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: don't allow blank usernmae or password SERVER-3003
Branch: master
https://github.com/mongodb/mongo/commit/18dc400e68183bb2332d9e5440b939972340a031

Generated at Thu Feb 08 03:01:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.