[SERVER-7691] Java driver is capable of crashing mongod with a simple insert Created: 16/Nov/12 Updated: 15/Feb/13 Resolved: 06/Dec/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Stability |
| Affects Version/s: | 2.0.0, 2.2.1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Joel Westberg | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | Crash, Driver | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Windows 2008 r2 & OSX |
||
| Issue Links: |
|
||||||||||||
| Operating System: | ALL | ||||||||||||
| Steps To Reproduce: | Run the following in Java: new Mongo().getDB("test").getCollection("test").insert(new BasicDBObject("\u0000Žö", "")); |
||||||||||||
| Participants: | |||||||||||||
| Description |
|
MongoDB will crash if the Java driver can crash any MongoDB by writing a document containing a special string as the field name - \u0000Žö
This actually came up in during real world usage when Apache Tika managed to produce the magical string as part of a field name. I have no idea what makes this string special, but removing any character will cause no issues. Anyway, the result is the following output from mongod on OSX (output is similar on Windows):
Attempting to insert a document containing a field name such as the one described using the mongo JavaScript shell does not work, unless it's part of a sub-document. Doing so, however, will cause an assertion error when trying to list the document.
I have not tested this with any other driver. |
| Comments |
| Comment by Eliot Horowitz (Inactive) [ 10/Dec/12 ] |
|
Sorry, correct case is |
| Comment by Joel Westberg [ 09/Dec/12 ] |
|
I urge you to reconsider, as this is capable of bringing down a mongod in production. In my case our application was generating the NUL, but I can easily see a malevolent user passing nul to a webservice backed by MongoDB, potentially bringing down the entire production service if the app happens to have been developed in a few unlucky languages (such as Java). The severity of this issue in comparison to |
| Comment by Ian Whalen (Inactive) [ 06/Dec/12 ] |
|
although it's a slightly different symptom, this problem will be worked on as a part of |
| Comment by Joel Westberg [ 16/Nov/12 ] |
|
It's rather intriguing though, that removing any of the 'Ž' or 'ö' characters, or replacing them, does not affect the server as harshly. I think the crash will only happen if Null character is followed by at least 2 multi-byte UTF-8 characters, but I might be mistaken. |
| Comment by Tad Marshall [ 16/Nov/12 ] |
|
Hi Joel, Thanks a lot for posting what you've found. The BSON storage format and wire protocol store field names as NUL-terminated strings, and so it is not possible for a field name to contain an embedded NUL. The upshot is that we need to parse these more thoroughly at the driver (or shell) and perhaps be more defensive at the server. If the server is run with --objcheck, it will perform validation on data presented by clients, but this is not on by default because the expectation is that the server is running in a secured environment with qualified clients. This issue is related to Tad |