[SERVER-36802] Don't omit db.auth() et al from shell history if they don't contain string literal password Created: 22/Aug/18  Updated: 06/Dec/22  Resolved: 17/Dec/20

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Kevin Pulo Assignee: Backlog - Server Tooling and Methods (STM) (Inactive)
Resolution: Won't Fix Votes: 0
Labels: move-stm
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-3768 db.addUser() appears in shell history... Closed
related to SERVER-9939 createUser and updateUser commands ar... Closed
related to SERVER-5616 Any shell command containing the stri... Closed
related to SERVER-24391 Prompt for password on user creation ... Closed
related to SERVER-581 don't store line in shell history if ... Closed
related to SERVER-3788 version of auth() that prompts for pa... Closed
Assigned Teams:
Server Tooling & Methods
Participants:

 Description   

Calls to db.auth(), db.addUser(), etc aren't added to shell history because this would cause any string literal password in the call to be stored in cleartext in the history file. However, if the password isn't specified as a string literal (eg. passwordPrompt() is called instead), or is omitted completely (if SERVER-3788 is implemented), then the line is safe to add to history in these cases.



 Comments   
Comment by Robert Guo (Inactive) [ 17/Dec/20 ]

We will no longer be adding new features to the old mongo shell outside of a small number of exceptions. Please consider switching to the new shell, mongosh, for general use cases.

If this ticket is desired for Server development, please reopen.

Generated at Thu Feb 08 04:44:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.