> So I tried this patch:
> === modified file 'testing/mgo.go'
> --- testing/mgo.go 2013-11-06 13:38:01 +0000
> +++ testing/mgo.go 2013-12-18 06:23:25 +0000
> @@ -99,6 +99,7 @@
> "--noprealloc",
> "--smallfiles",
> "--nojournal",
> + "--noscripting",
> "--nounixsocket",
> }
> server := exec.Command("mongod", mgoargs...)
>
>
> And with it, the test suite still passes 100% for me.
\o/
> So I have a strong feeling that --noscripting does what we want it to,
> and that we don't, indeed, need the ability.
>
> I'm not sure what test Michael had seen that used something that needed
> scripting, but I'm running against mongodb 2.2.4 and it seems to be
> working with --noscripting set up.
It was state/machine_test.go and state/unit_test.go (search for
$where). But on looking, the tests might actually be testing that
queries like this are filtered out or something -- avoiding the
equivalent of an SQL injection? Not really sure.
John A Meinel <email address hidden> writes:
> So I tried this patch: "mongod" , mgoargs...)
> === modified file 'testing/mgo.go'
> --- testing/mgo.go 2013-11-06 13:38:01 +0000
> +++ testing/mgo.go 2013-12-18 06:23:25 +0000
> @@ -99,6 +99,7 @@
> "--noprealloc",
> "--smallfiles",
> "--nojournal",
> + "--noscripting",
> "--nounixsocket",
> }
> server := exec.Command(
>
>
> And with it, the test suite still passes 100% for me.
\o/
> So I have a strong feeling that --noscripting does what we want it to,
> and that we don't, indeed, need the ability.
>
> I'm not sure what test Michael had seen that used something that needed
> scripting, but I'm running against mongodb 2.2.4 and it seems to be
> working with --noscripting set up.
It was state/machine_ test.go and state/unit_test.go (search for
$where). But on looking, the tests might actually be testing that
queries like this are filtered out or something -- avoiding the
equivalent of an SQL injection? Not really sure.
Thanks heaps for testing this.