diff options
author | Shaun Verch <shaun.verch@mongodb.com> | 2014-04-17 14:52:00 -0400 |
---|---|---|
committer | Shaun Verch <shaun.verch@mongodb.com> | 2014-04-17 17:00:59 -0400 |
commit | 44da20890f6af02ba766ca14991bbb072395a7ef (patch) | |
tree | f6496a2da0612fc4a8c13a1039564a5c633c947a | |
parent | b54e00ff344823cab5133142e38ec1f100728e1c (diff) | |
download | mongo-44da20890f6af02ba766ca14991bbb072395a7ef.tar.gz |
SERVER-13644 Fix command line censorship
-rw-r--r-- | jstests/ssl/ssl_options.js | 35 | ||||
-rw-r--r-- | src/mongo/util/cmdline_utils/censor_cmdline.cpp | 19 |
2 files changed, 50 insertions, 4 deletions
diff --git a/jstests/ssl/ssl_options.js b/jstests/ssl/ssl_options.js new file mode 100644 index 00000000000..f4dcb4d4d47 --- /dev/null +++ b/jstests/ssl/ssl_options.js @@ -0,0 +1,35 @@ +var baseName = "jstests_ssl_ssl_options"; + +jsTest.log("Testing censorship of ssl options"); + +var mongodConfig = { sslPEMKeyFile : "jstests/libs/password_protected.pem", + sslMode : "requireSSL", + sslPEMKeyPassword : "qwerty", + sslClusterPassword : "qwerty" }; +var mongodSource = MongoRunner.runMongod(mongodConfig); + +var getCmdLineOptsResult = mongodSource.adminCommand("getCmdLineOpts"); + +var i; +var isPassword = false; +for (i = 0; i < getCmdLineOptsResult.argv.length; i++) { + if (isPassword) { + assert.eq(getCmdLineOptsResult.argv[i], "<password>", + "Password not properly censored: " + tojson(getCmdLineOptsResult)); + isPassword = false; + continue; + } + + if (getCmdLineOptsResult.argv[i] === "--sslPEMKeyPassword" || + getCmdLineOptsResult.argv[i] === "--sslClusterPassword") { + isPassword = true; + } +} +assert.eq(getCmdLineOptsResult.parsed.net.ssl.PEMKeyPassword, "<password>", + "Password not properly censored: " + tojson(getCmdLineOptsResult)); +assert.eq(getCmdLineOptsResult.parsed.net.ssl.clusterPassword, "<password>", + "Password not properly censored: " + tojson(getCmdLineOptsResult)); + +MongoRunner.stopMongod(mongodSource.port); + +print(baseName + " succeeded."); diff --git a/src/mongo/util/cmdline_utils/censor_cmdline.cpp b/src/mongo/util/cmdline_utils/censor_cmdline.cpp index e50b7018c99..ae51d536be4 100644 --- a/src/mongo/util/cmdline_utils/censor_cmdline.cpp +++ b/src/mongo/util/cmdline_utils/censor_cmdline.cpp @@ -41,9 +41,9 @@ namespace mongo { static bool _isPasswordArgument(const char* argumentName) { static const char* const passwordArguments[] = { - "sslPEMKeyPassword", - "ssl.PEMKeyPassword", - "servicePassword", + "net.ssl.PEMKeyPassword", + "net.ssl.clusterPassword", + "processManagement.windowsService.servicePassword", NULL // Last entry sentinel. }; for (const char* const* current = passwordArguments; *current; ++current) { @@ -54,6 +54,13 @@ namespace mongo { } static bool _isPasswordSwitch(const char* switchName) { + static const char* const passwordSwitches[] = { + "sslPEMKeyPassword", + "sslClusterPassword", + "servicePassword", + NULL // Last entry sentinel. + }; + if (switchName[0] != '-') return false; size_t i = 1; @@ -61,7 +68,11 @@ namespace mongo { i = 2; switchName += i; - return _isPasswordArgument(switchName); + for (const char* const* current = passwordSwitches; *current; ++current) { + if (mongoutils::str::equals(switchName, *current)) + return true; + } + return false; } static void _redact(char* arg) { |