[SERVER-30997] mongo cli --password is masked, but not when using mongodb:// connection string Created: 07/Sep/17 Updated: 30/Oct/23 Resolved: 30/Jul/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Tools |
| Affects Version/s: | 3.4.7 |
| Fix Version/s: | 3.6.9, 4.0.3, 4.1.2 |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | Aaron Queen | Assignee: | Jonathan Reams |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | mongo, security, tools | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Linux |
||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Backport Requested: |
v4.0, v3.6, v3.4
|
||||||||||||||||||||
| Sprint: | Platforms 2018-07-30 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Linked BF Score: | 0 | ||||||||||||||||||||
| Description |
|
When using the following: $ mongo --host 127.0.0.1 --user admin --password superSecret12345 You see that --password value has been masked with "x" characters, so you don't easily expose the password to others. However, when connecting using the mongodb:// connection string, which is still waiting to be documented ( In the mongodb:// method as well, the password is also leaked into the stdout of the cli when it displays "connecting to: mongodb://admin:superSecret12345@127.0.0.1/" I believe these should be masked in the same way, so the password is never displayed in the running process cmdline or in the stdout line displayed saying it is connecting. |
| Comments |
| Comment by Githook User [ 24/Sep/18 ] |
|
Author: {'name': 'Ian Boros', 'email': 'ian.boros@10gen.com'}Message: (cherry picked from commit 40a611d43c5a33f72066ffcf26708e43bbd4cd16) |
| Comment by Githook User [ 24/Sep/18 ] |
|
Author: {'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}Message: (cherry picked from commit 35898a0c48b0bb1bcb0a69f7db646d2fda4ec5de) |
| Comment by Githook User [ 24/Sep/18 ] |
|
Author: {'name': 'Ian Boros', 'email': 'ian.boros@10gen.com'}Message: (cherry picked from commit 40a611d43c5a33f72066ffcf26708e43bbd4cd16) |
| Comment by Githook User [ 24/Sep/18 ] |
|
Author: {'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}Message: (cherry picked from commit 35898a0c48b0bb1bcb0a69f7db646d2fda4ec5de) |
| Comment by Githook User [ 30/Jul/18 ] |
|
Author: {'name': 'Ian Boros', 'email': 'ian.boros@10gen.com'}Message: |
| Comment by Githook User [ 30/Jul/18 ] |
|
Author: {'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}Message: |
| Comment by Ramon Fernandez Marina [ 09/Sep/17 ] |
|
Thanks for your report aqueen. I tried reproducing in MacOS with the latest development version and in both cases the password is not masked. Sending to the Platform team for consideration. Regards, |