don't allow blank usernmae or password SERVER-3003

4 files changed, 43 insertions, 4 deletions

diff --git a/db/pdfile.cpp b/db/pdfile.cpp
index d6e2d1610f6..9ad7099934e 100644
--- a/db/pdfile.cpp
+++ b/db/pdfile.cpp
@@ -1580,8 +1580,16 @@ namespace mongo {
                 // later:check for dba-type permissions here if have that at some point separate
                 if ( strstr(ns, ".system.indexes" ) )
                     wouldAddIndex = true;
-                else if ( legalClientSystemNS( ns , true ) )
-                    ;
+                else if ( legalClientSystemNS( ns , true ) ) {
+                    if ( obuf && strstr( ns , ".system.users" ) ) {
+                        BSONObj t( reinterpret_cast<const char *>( obuf ) );
+                        uassert( 14051 , "system.user entry needs 'user' field to be a string" , t["user"].type() == String );
+                        uassert( 14052 , "system.user entry needs 'pwd' field to be a string" , t["pwd"].type() == String );
+
+                        uassert( 14053 , "system.user entry needs 'user' field to be non-empty" , t["user"].String().size() );
+                        uassert( 14054 , "system.user entry needs 'pwd' field to be non-empty" , t["pwd"].String().size() );
+                    }
+                }
                 else if ( !god ) {
                     out() << "ERROR: attempt to insert in system namespace " << ns << endl;
                     return DiskLoc();
diff --git a/jstests/auth1.js b/jstests/auth1.js
index ce0159b17ed..a2cc48ab403 100644
--- a/jstests/auth1.js
+++ b/jstests/auth1.js
@@ -38,3 +38,20 @@ pass = "a" + Math.random();
 db2.addUser( "eliot" , pass );
 
 assert.commandFailed( db2.runCommand( { authenticate: 1, user: "eliot", nonce: "foo", key: "bar" } ) );
+
+// check sanity check SERVER-3003
+
+before = db2.system.users.count()
+
+assert.throws( function(){
+    db2.addUser( "" , "abc" )
+} , null , "C1" )
+
+assert.throws( function(){
+    db2.addUser( "abc" , "" )
+} , null , "C2" )
+
+
+after = db2.system.users.count()
+assert( before > 0 , "C3" )
+assert.eq( before , after , "C4" )
diff --git a/shell/db.js b/shell/db.js
index ff88f988053..75f8c22dd02 100644
--- a/shell/db.js
+++ b/shell/db.js
@@ -60,15 +60,22 @@ DB.prototype.adminCommand = function( obj ){
 DB.prototype._adminCommand = DB.prototype.adminCommand; // alias old name
 
 DB.prototype.addUser = function( username , pass, readOnly ){
+    if ( pass == null || pass.length == 0 )
+        throw "password can't be empty";
+
     readOnly = readOnly || false;
     var c = this.getCollection( "system.users" );
     
     var u = c.findOne( { user : username } ) || { user : username };
     u.readOnly = readOnly;
     u.pwd = hex_md5( username + ":mongo:" + pass );
-    print( tojson( u ) );
 
     c.save( u );
+    var le = this.getLastErrorObj();
+    printjson( le )
+    if ( le.err )
+        throw "couldn't add user: " + le.err
+    print( tojson( u ) );
 }
 
 DB.prototype.removeUser = function( username ){
diff --git a/shell/mongo_vstudio.cpp b/shell/mongo_vstudio.cpp
index bcd85c72d26..416afe51deb 100644
--- a/shell/mongo_vstudio.cpp
+++ b/shell/mongo_vstudio.cpp
@@ -1682,15 +1682,22 @@ const StringData _jscode_raw_db =
 "DB.prototype._adminCommand = DB.prototype.adminCommand; // alias old name\n" 
 "\n" 
 "DB.prototype.addUser = function( username , pass, readOnly ){\n" 
+"if ( pass == null || pass.length == 0 )\n" 
+"throw \"password can't be empty\";\n" 
+"\n" 
 "readOnly = readOnly || false;\n" 
 "var c = this.getCollection( \"system.users\" );\n" 
 "\n" 
 "var u = c.findOne( { user : username } ) || { user : username };\n" 
 "u.readOnly = readOnly;\n" 
 "u.pwd = hex_md5( username + \":mongo:\" + pass );\n" 
-"print( tojson( u ) );\n" 
 "\n" 
 "c.save( u );\n" 
+"var le = this.getLastErrorObj();\n" 
+"printjson( le )\n" 
+"if ( le.err )\n" 
+"throw \"couldn't add user: \" + le.err\n" 
+"print( tojson( u ) );\n" 
 "}\n" 
 "\n" 
 "DB.prototype.removeUser = function( username ){\n"