<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:15:59 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-2676] mongoc_database_add_user must not send hashed password</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-2676</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;The function &lt;tt&gt;mongoc_database_add_user&lt;/tt&gt; is a C driver helper to construct a &lt;a href=&quot;https://docs.mongodb.com/master/reference/command/createUser/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;createUser command&lt;/a&gt;. Currently it does not send the correct form of the &lt;tt&gt;pwd&lt;/tt&gt; field for MongoDB 4.0.&lt;/p&gt;

&lt;p&gt;The createUser command allows two ways to specify the password:&lt;/p&gt;

&lt;p&gt;The field &lt;tt&gt;pwd&lt;/tt&gt; can be a plaintext password. Example in mongo shell (assuming mongod is running with --auth):&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;db.runCommand ( {createUser: &quot;username&quot;, pwd: &quot;plaintext_password&quot;, roles: [ { role: &quot;root&quot;, db: &quot;admin&quot; } ] })&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;Or &lt;tt&gt;pwd&lt;/tt&gt; can be the result of an MD5 hash of the form:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;md5(username + &quot;:mongo:&quot; + password)&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;and &lt;tt&gt;digestPassword&lt;/tt&gt; must be set to false.&lt;/p&gt;

&lt;p&gt;In MongoDB 4.0, we authenticate using a new more secure authentication mechanism, SCRAM-SHA-256. When creating a user with SCRAM-SHA-256 credentials, MongoDB 4.0 no longer allows specifying the password in a hashed form, and will return an error.&lt;/p&gt;

&lt;p&gt;Unfortunately, the &lt;tt&gt;mongoc_database_add_user&lt;/tt&gt; does send &lt;tt&gt;pwd&lt;/tt&gt; using the hashed form of the password. So currently this function always returns an error if connected to a MongoDB 4.0 server. Instead, we must do the simpler thing: send the plaintext password and omit sending the &lt;tt&gt;digestPassword&lt;/tt&gt; field.&lt;/p&gt;

&lt;p&gt;Then, update the &lt;a href=&quot;http://mongoc.org/libmongoc/current/mongoc_database_add_user.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;docs page for mongoc_database_add_user&lt;/a&gt; to warn the user to only call this method if the driver is using TLS.&lt;/p&gt;

&lt;p&gt;Then, update places in our tests which should be using &lt;tt&gt;mongoc_database_add_user&lt;/tt&gt; but aren&apos;t: &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/r1.10/src/libmongoc/tests/test-mongoc-topology.c#L465-L478&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt; and &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/r1.10/src/libmongoc/tests/test-mongoc-client.c#L435-L449&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;</description>
                <environment></environment>
        <key id="552478">CDRIVER-2676</key>
            <summary>mongoc_database_add_user must not send hashed password</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="evgeni.dobranov@mongodb.com">Evgeni Dobranov</assignee>
                                    <reporter username="kevin.albertson@mongodb.com">Kevin Albertson</reporter>
                        <labels>
                    </labels>
                <created>Thu, 31 May 2018 22:04:46 +0000</created>
                <updated>Sat, 28 Oct 2023 11:29:49 +0000</updated>
                            <resolved>Wed, 6 Jun 2018 14:25:47 +0000</resolved>
                                                    <fixVersion>1.11.0</fixVersion>
                                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="1912368" author="xgen-internal-githook" created="Wed, 6 Jun 2018 14:23:19 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;edobranov&apos;, &apos;name&apos;: &apos;Evgeni Dobranov&apos;, &apos;email&apos;: &apos;evobranov@gmail.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2676&quot; title=&quot;mongoc_database_add_user must not send hashed password&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2676&quot;&gt;&lt;del&gt;CDRIVER-2676&lt;/del&gt;&lt;/a&gt; fix add_user to omit hashed password&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/eb157380a965ae1ba26dd1e60f5d1bd3f5a82a3c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/eb157380a965ae1ba26dd1e60f5d1bd3f5a82a3c&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|htqfp3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>