Disable JSONP by default due to security implications

2024-12-01 09:32:32 +01:00 · 2010-08-25 15:25:54 -04:00 · 2010-08-25 15:25:54 -04:00 · 259dc007d7
commit 259dc007d7
parent 6c71ce88ff
4 changed files with 14 additions and 2 deletions
--- a/db/cmdline.h
+++ b/db/cmdline.h
@ -27,6 +27,7 @@ namespace mongo {
        int port;              // --port
        string bind_ip;        // --bind_ip
        bool rest;             // --rest
+        bool jsonp;             // --jsonp

        string _replSet;       // --replSet[/<seedlist>]
        string ourSetName() const { 
@ -63,7 +64,7 @@ namespace mongo {
        };

        CmdLine() : 
-            port(DefaultDBPort), rest(false), quiet(false), notablescan(false), prealloc(true), smallfiles(false),
+            port(DefaultDBPort), rest(false), jsonp(false), quiet(false), notablescan(false), prealloc(true), smallfiles(false),
            quota(false), quotaFiles(8), cpu(false), oplogSize(0), defaultProfile(0), slowMS(100), pretouch(0), moveParanoia( true )
        { } 
        
--- a/db/db.cpp
+++ b/db/db.cpp
@ -676,6 +676,7 @@ int main(int argc, char* argv[], char *envp[] )
        ("nohints", "ignore query hints")
        ("nohttpinterface", "disable http interface")
        ("rest","turn on simple rest api")
+        ("jsonp","allow JSONP access via http (has security implications)")
        ("noscripting", "disable scripting engine")
        ("noprealloc", "disable data file preallocation")
        ("smallfiles", "use a smaller default file size")
@ -829,6 +830,9 @@ int main(int argc, char* argv[], char *envp[] )
        if (params.count("rest")) {
            cmdLine.rest = true;
        }
+        if (params.count("jsonp")) {
+            cmdLine.jsonp = true;
+        }
        if (params.count("noscripting")) {
            useJNI = false;
        }
--- a/db/dbwebserver.cpp
+++ b/db/dbwebserver.cpp
@ -168,9 +168,11 @@ namespace mongo {
                        if ( handler->requiresREST( url ) && ! cmdLine.rest ){
                            _rejectREST( responseMsg , responseCode , headers );
                        }else{
+                            string callback = params.getStringField("jsonp");
+                            uassert(13453, "server not started with --jsonp", callback.empty() || cmdLine.jsonp);
+
                            handler->handle( rq , url , params , responseMsg , responseCode , headers , from );

-                            string callback = params.getStringField("jsonp");
                            if (responseCode == 200 && !callback.empty()){
                                responseMsg = callback + '(' + responseMsg + ')';
                            }
--- a/s/server.cpp
+++ b/s/server.cpp
@ -184,6 +184,7 @@ int main(int argc, char* argv[], char *envp[] ) {
        ( "upgrade" , "upgrade meta data version" )
        ( "chunkSize" , po::value<int>(), "maximum amount of data per chunk" )
        ( "ipv6", "enable IPv6 support (disabled by default)" )
+        ( "jsonp","allow JSONP access via http (has security implications)" )
        ;

    options.add(sharding_options);
@ -210,6 +211,10 @@ int main(int argc, char* argv[], char *envp[] ) {
        enableIPv6();
    }

+    if ( params.count( "jsonp" ) ){
+        cmdLine.jsonp = true;
+    }
+
    if ( params.count( "test" ) ){
        logLevel = 5;
        UnitTest::runTests();