diff --git a/db/pdfile.cpp b/db/pdfile.cpp index d6e2d1610f6..9ad7099934e 100644 --- a/db/pdfile.cpp +++ b/db/pdfile.cpp @@ -1580,8 +1580,16 @@ namespace mongo { // later:check for dba-type permissions here if have that at some point separate if ( strstr(ns, ".system.indexes" ) ) wouldAddIndex = true; - else if ( legalClientSystemNS( ns , true ) ) - ; + else if ( legalClientSystemNS( ns , true ) ) { + if ( obuf && strstr( ns , ".system.users" ) ) { + BSONObj t( reinterpret_cast( obuf ) ); + uassert( 14051 , "system.user entry needs 'user' field to be a string" , t["user"].type() == String ); + uassert( 14052 , "system.user entry needs 'pwd' field to be a string" , t["pwd"].type() == String ); + + uassert( 14053 , "system.user entry needs 'user' field to be non-empty" , t["user"].String().size() ); + uassert( 14054 , "system.user entry needs 'pwd' field to be non-empty" , t["pwd"].String().size() ); + } + } else if ( !god ) { out() << "ERROR: attempt to insert in system namespace " << ns << endl; return DiskLoc(); diff --git a/jstests/auth1.js b/jstests/auth1.js index ce0159b17ed..a2cc48ab403 100644 --- a/jstests/auth1.js +++ b/jstests/auth1.js @@ -38,3 +38,20 @@ pass = "a" + Math.random(); db2.addUser( "eliot" , pass ); assert.commandFailed( db2.runCommand( { authenticate: 1, user: "eliot", nonce: "foo", key: "bar" } ) ); + +// check sanity check SERVER-3003 + +before = db2.system.users.count() + +assert.throws( function(){ + db2.addUser( "" , "abc" ) +} , null , "C1" ) + +assert.throws( function(){ + db2.addUser( "abc" , "" ) +} , null , "C2" ) + + +after = db2.system.users.count() +assert( before > 0 , "C3" ) +assert.eq( before , after , "C4" ) diff --git a/shell/db.js b/shell/db.js index ff88f988053..75f8c22dd02 100644 --- a/shell/db.js +++ b/shell/db.js @@ -60,15 +60,22 @@ DB.prototype.adminCommand = function( obj ){ DB.prototype._adminCommand = DB.prototype.adminCommand; // alias old name DB.prototype.addUser = function( username , pass, readOnly ){ + if ( pass == null || pass.length == 0 ) + throw "password can't be empty"; + readOnly = readOnly || false; var c = this.getCollection( "system.users" ); var u = c.findOne( { user : username } ) || { user : username }; u.readOnly = readOnly; u.pwd = hex_md5( username + ":mongo:" + pass ); - print( tojson( u ) ); c.save( u ); + var le = this.getLastErrorObj(); + printjson( le ) + if ( le.err ) + throw "couldn't add user: " + le.err + print( tojson( u ) ); } DB.prototype.removeUser = function( username ){ diff --git a/shell/mongo_vstudio.cpp b/shell/mongo_vstudio.cpp index bcd85c72d26..416afe51deb 100644 --- a/shell/mongo_vstudio.cpp +++ b/shell/mongo_vstudio.cpp @@ -1682,15 +1682,22 @@ const StringData _jscode_raw_db = "DB.prototype._adminCommand = DB.prototype.adminCommand; // alias old name\n" "\n" "DB.prototype.addUser = function( username , pass, readOnly ){\n" +"if ( pass == null || pass.length == 0 )\n" +"throw \"password can't be empty\";\n" +"\n" "readOnly = readOnly || false;\n" "var c = this.getCollection( \"system.users\" );\n" "\n" "var u = c.findOne( { user : username } ) || { user : username };\n" "u.readOnly = readOnly;\n" "u.pwd = hex_md5( username + \":mongo:\" + pass );\n" -"print( tojson( u ) );\n" "\n" "c.save( u );\n" +"var le = this.getLastErrorObj();\n" +"printjson( le )\n" +"if ( le.err )\n" +"throw \"couldn't add user: \" + le.err\n" +"print( tojson( u ) );\n" "}\n" "\n" "DB.prototype.removeUser = function( username ){\n"