don't allow blank usernmae or password SERVER-3003

2024-12-01 01:21:03 +01:00 · 2011-05-03 10:53:24 -04:00 · 2011-05-03 10:53:24 -04:00 · 18dc400e68
commit 18dc400e68
parent 33897ac5d1
4 changed files with 43 additions and 4 deletions
--- a/db/pdfile.cpp
+++ b/db/pdfile.cpp
@ -1580,8 +1580,16 @@ namespace mongo {
                // later:check for dba-type permissions here if have that at some point separate
                if ( strstr(ns, ".system.indexes" ) )
                    wouldAddIndex = true;
-                else if ( legalClientSystemNS( ns , true ) )
-                    ;
+                else if ( legalClientSystemNS( ns , true ) ) {
+                    if ( obuf && strstr( ns , ".system.users" ) ) {
+                        BSONObj t( reinterpret_cast<const char *>( obuf ) );
+                        uassert( 14051 , "system.user entry needs 'user' field to be a string" , t["user"].type() == String );
+                        uassert( 14052 , "system.user entry needs 'pwd' field to be a string" , t["pwd"].type() == String );
+
+                        uassert( 14053 , "system.user entry needs 'user' field to be non-empty" , t["user"].String().size() );
+                        uassert( 14054 , "system.user entry needs 'pwd' field to be non-empty" , t["pwd"].String().size() );
+                    }
+                }
                else if ( !god ) {
                    out() << "ERROR: attempt to insert in system namespace " << ns << endl;
                    return DiskLoc();
--- a/jstests/auth1.js
+++ b/jstests/auth1.js
@ -38,3 +38,20 @@ pass = "a" + Math.random();
 db2.addUser( "eliot" , pass );

 assert.commandFailed( db2.runCommand( { authenticate: 1, user: "eliot", nonce: "foo", key: "bar" } ) );
+
+// check sanity check SERVER-3003
+
+before = db2.system.users.count()
+
+assert.throws( function(){
+    db2.addUser( "" , "abc" )
+} , null , "C1" )
+
+assert.throws( function(){
+    db2.addUser( "abc" , "" )
+} , null , "C2" )
+
+
+after = db2.system.users.count()
+assert( before > 0 , "C3" )
+assert.eq( before , after , "C4" )
--- a/shell/db.js
+++ b/shell/db.js
@ -60,15 +60,22 @@ DB.prototype.adminCommand = function( obj ){
 DB.prototype._adminCommand = DB.prototype.adminCommand; // alias old name

 DB.prototype.addUser = function( username , pass, readOnly ){
+    if ( pass == null || pass.length == 0 )
+        throw "password can't be empty";
+
    readOnly = readOnly || false;
    var c = this.getCollection( "system.users" );
    
    var u = c.findOne( { user : username } ) || { user : username };
    u.readOnly = readOnly;
    u.pwd = hex_md5( username + ":mongo:" + pass );
-    print( tojson( u ) );

    c.save( u );
+    var le = this.getLastErrorObj();
+    printjson( le )
+    if ( le.err )
+        throw "couldn't add user: " + le.err
+    print( tojson( u ) );
 }

 DB.prototype.removeUser = function( username ){
--- a/shell/mongo_vstudio.cpp
+++ b/shell/mongo_vstudio.cpp
@ -1682,15 +1682,22 @@ const StringData _jscode_raw_db =
 "DB.prototype._adminCommand = DB.prototype.adminCommand; // alias old name\n" 
 "\n" 
 "DB.prototype.addUser = function( username , pass, readOnly ){\n" 
+"if ( pass == null || pass.length == 0 )\n" 
+"throw \"password can't be empty\";\n" 
+"\n" 
 "readOnly = readOnly || false;\n" 
 "var c = this.getCollection( \"system.users\" );\n" 
 "\n" 
 "var u = c.findOne( { user : username } ) || { user : username };\n" 
 "u.readOnly = readOnly;\n" 
 "u.pwd = hex_md5( username + \":mongo:\" + pass );\n" 
-"print( tojson( u ) );\n" 
 "\n" 
 "c.save( u );\n" 
+"var le = this.getLastErrorObj();\n" 
+"printjson( le )\n" 
+"if ( le.err )\n" 
+"throw \"couldn't add user: \" + le.err\n" 
+"print( tojson( u ) );\n" 
 "}\n" 
 "\n" 
 "DB.prototype.removeUser = function( username ){\n"