[SERVER-4600] No auth for killCursors command Created: 03/Jan/12  Updated: 26/Apr/12  Resolved: 14/Feb/12

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 2.0.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Eric Milkie Assignee: Andy Schwerin
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-4892 Running server in auth mode fails to ... Closed
Operating System: ALL
Participants:

 Description   

In instance.cpp _assembleResponse(), we attempt to parse out a namespace out of the message data, in order to check for authorization. We do this for dbInsert, dbUpdate, dbDelete, and dbKillCursors.

All of these commands include the collection name, EXCEPT dbKillCursors. dbKillCursors contains "numberOfCursorIDs" in the position for namespace. Therefore, as long as you pass a cursor count whose int binary representation contains a null byte, nothing bad will happen, other than no authentication occurs.
If you pass, say, -1 for the cursor count, the server might crash due to not finding a null-terminated string for the namespace. On Windows, you can crash the server in debug mode by running clientTest.exe, which indeed passes -1 as part of a failure scenario test.


Generated at Thu Feb 08 03:06:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.