[SERVER-33744] Server does not enforce handshake protocol requirement that 'application.name' be present if the client metadata defines an 'application' section Created: 08/Mar/18 Updated: 27/Oct/23 Resolved: 27/Apr/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Code |
| Affects Version/s: | 3.6.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Bernard Gorman | Assignee: | Mark Benvenuto |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Participants: |
| Description |
|
Per the handshake protocol spec, we require that if the optional 'application' section is specified in the metadata passed by the driver to the server, then the 'name' subfield must be specified (and presumably non-empty). Currently, client_metadata.cpp does not enforce this requirement; it only checks that the 'name' field is of type string if present. |
| Comments |
| Comment by Bernard Gorman [ 28/Apr/18 ] | ||||||||
|
Sorry mark.benvenuto, this slipped off my radar. Re: the in-code comment above, I'm not sure what else "Optional with caveats" could mean, other than that the 'name' is optional only in the sense that the enclosing optional-with-no-caveats 'application' document may be omitted. I don't see any dependencies between the 'name' field and any other fields in the spec that this could be referring to. | ||||||||
| Comment by Mark Benvenuto [ 30/Mar/18 ] | ||||||||
|
While the drivers spec does say that, the server code that is the authoritative source does not: See https://github.com/markbenvenuto/mongo/blob/809c0e8f6974cfb78585f063ee368cfd484fe818/src/mongo/rpc/metadata/client_metadata.h#L56-L58
| ||||||||
| Comment by Bernard Gorman [ 30/Mar/18 ] | ||||||||
|
mark.benvenuto: My understanding of the spec is that the client can choose to omit the application section entirely, but if present it cannot be empty, and in particular must include the name field. The clearest statement of this requirement is the following, from the spec:
| ||||||||
| Comment by Mark Benvenuto [ 29/Mar/18 ] | ||||||||
|
The application name field is always optional. I think it is a driver spec bug for existence of the application section to imply the name field is required. |