Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Lock] MongoDbStore::skimUri may strip repeated query string keys #37864

Closed
jmikola opened this issue Aug 17, 2020 · 0 comments
Closed

[Lock] MongoDbStore::skimUri may strip repeated query string keys #37864

jmikola opened this issue Aug 17, 2020 · 0 comments
Labels
Bug Lock Status: Needs Review

Comments

@jmikola
Copy link
Contributor

jmikola commented Aug 17, 2020
edited

Symfony version(s) affected: 5.2-dev

Description

As mentioned in https://github.com/symfony/symfony/pull/37218/files#r471609509, the current implementation of MongoDbStore::skimUri() may silently corrupt a MongoDB connection string by stripping repeated readPreferenceTags keys in a query string (permitted use case, as mentioned in the URI options spec).

How to reproduce

An example connection string is:

mongodb://rs.example.com/?readPreference=secondaryPreferred&readPreferenceTags=dc:foo&readPreferenceTags=dc:bar

After MongoDbStore::skimUri() processes this string, only a single readPreferenceTags option would remain.

Possible Solution

I think it would be preferable to capture the URI option with a regular expression and then, if anything was found, strip it from the returned string. While collection names have their own restrictions, for purposes of URI parsing I think it'd be suitable to use a pattern like /collection=([^&]*)/i (case-insensitive and only stopping at the end of a string or a & character that might precede the next key).

Additional context

Related to #37180 and corresponding PR (#37218).
@jmikola jmikola added the Bug label Aug 17, 2020
@kralos kralos mentioned this issue Aug 18, 2020
Merged
kralos pushed a commit to kralos/symfony that referenced this issue Aug 18, 2020
symfony#37864 fixed fabbot cs
cee620b
@kralos kralos mentioned this issue Aug 18, 2020
Merged
@xabbuh xabbuh added the Lock label Aug 18, 2020
kralos pushed a commit to kralos/symfony that referenced this issue Aug 18, 2020
symfony#37864 improved collection strip regex
1e6437b
kralos pushed a commit to kralos/symfony that referenced this issue Aug 18, 2020
symfony#37864 added missing database option to test cases
23e0006
kralos pushed a commit to kralos/symfony that referenced this issue Aug 18, 2020
symfony#37864 fixed test cases for password with collection prefixed …
4f1f913 
…by `&` / `?`
kralos pushed a commit to kralos/symfony that referenced this issue Aug 19, 2020
symfony#37864 fixed prefix trim
9e84cd6
@fabpot fabpot closed this as completed Aug 19, 2020
fabpot added a commit that referenced this issue Aug 19, 2020
@fabpot
bug #37868 [Lock] MongoDbStore handle duplicate querystring keys in m…
c426abe 
…ongodb uri when stripping (kralos)

This PR was squashed before being merged into the 5.1 branch.

Discussion
----------

[Lock] MongoDbStore handle duplicate querystring keys in mongodb uri when stripping

| Q             | A
| ------------- | ---
| Branch?       | 5.1
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #37864
| License       | MIT
| Doc PR        |

Allow duplicate querystring keys when stripping `collection`. `readPreferenceTags` is currently allowed to be specified twice so re-assembling the querystring with `http_build_query` will also strip duplicated `readPreferenceTags`. Use `preg_match` instead.

Commits
-------

c1ea9ae [Lock] MongoDbStore handle duplicate querystring keys in mongodb uri when stripping
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Lock Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabpot @jmikola @xabbuh @carsonbot