diff options
author | Shaun Verch <shaun.verch@mongodb.com> | 2014-04-17 14:52:00 -0400 |
---|---|---|
committer | Shaun Verch <shaun.verch@mongodb.com> | 2014-04-17 17:01:19 -0400 |
commit | 791fcf4495b08bd8c108f3275ba4e489b4928537 (patch) | |
tree | 7838fdab910d86d775efd803aabc7770bffbefa5 | |
parent | e1f859d6aee2991de7b56e8cf519aafee9223599 (diff) | |
download | mongo-791fcf4495b08bd8c108f3275ba4e489b4928537.tar.gz |
SERVER-13644 Fix command line censorship
(cherry picked from commit 44da20890f6af02ba766ca14991bbb072395a7ef)
-rw-r--r-- | jstests/ssl/ssl_options.js | 35 | ||||
-rw-r--r-- | src/mongo/util/cmdline_utils/censor_cmdline.cpp | 19 |
2 files changed, 50 insertions, 4 deletions
diff --git a/jstests/ssl/ssl_options.js b/jstests/ssl/ssl_options.js new file mode 100644 index 00000000000..f4dcb4d4d47 --- /dev/null +++ b/jstests/ssl/ssl_options.js @@ -0,0 +1,35 @@ +var baseName = "jstests_ssl_ssl_options"; + +jsTest.log("Testing censorship of ssl options"); + +var mongodConfig = { sslPEMKeyFile : "jstests/libs/password_protected.pem", + sslMode : "requireSSL", + sslPEMKeyPassword : "qwerty", + sslClusterPassword : "qwerty" }; +var mongodSource = MongoRunner.runMongod(mongodConfig); + +var getCmdLineOptsResult = mongodSource.adminCommand("getCmdLineOpts"); + +var i; +var isPassword = false; +for (i = 0; i < getCmdLineOptsResult.argv.length; i++) { + if (isPassword) { + assert.eq(getCmdLineOptsResult.argv[i], "<password>", + "Password not properly censored: " + tojson(getCmdLineOptsResult)); + isPassword = false; + continue; + } + + if (getCmdLineOptsResult.argv[i] === "--sslPEMKeyPassword" || + getCmdLineOptsResult.argv[i] === "--sslClusterPassword") { + isPassword = true; + } +} +assert.eq(getCmdLineOptsResult.parsed.net.ssl.PEMKeyPassword, "<password>", + "Password not properly censored: " + tojson(getCmdLineOptsResult)); +assert.eq(getCmdLineOptsResult.parsed.net.ssl.clusterPassword, "<password>", + "Password not properly censored: " + tojson(getCmdLineOptsResult)); + +MongoRunner.stopMongod(mongodSource.port); + +print(baseName + " succeeded."); diff --git a/src/mongo/util/cmdline_utils/censor_cmdline.cpp b/src/mongo/util/cmdline_utils/censor_cmdline.cpp index e50b7018c99..ae51d536be4 100644 --- a/src/mongo/util/cmdline_utils/censor_cmdline.cpp +++ b/src/mongo/util/cmdline_utils/censor_cmdline.cpp @@ -41,9 +41,9 @@ namespace mongo { static bool _isPasswordArgument(const char* argumentName) { static const char* const passwordArguments[] = { - "sslPEMKeyPassword", - "ssl.PEMKeyPassword", - "servicePassword", + "net.ssl.PEMKeyPassword", + "net.ssl.clusterPassword", + "processManagement.windowsService.servicePassword", NULL // Last entry sentinel. }; for (const char* const* current = passwordArguments; *current; ++current) { @@ -54,6 +54,13 @@ namespace mongo { } static bool _isPasswordSwitch(const char* switchName) { + static const char* const passwordSwitches[] = { + "sslPEMKeyPassword", + "sslClusterPassword", + "servicePassword", + NULL // Last entry sentinel. + }; + if (switchName[0] != '-') return false; size_t i = 1; @@ -61,7 +68,11 @@ namespace mongo { i = 2; switchName += i; - return _isPasswordArgument(switchName); + for (const char* const* current = passwordSwitches; *current; ++current) { + if (mongoutils::str::equals(switchName, *current)) + return true; + } + return false; } static void _redact(char* arg) { |