call "sys"."settimeout"(-9) is allowed currently but it should not be allowed.
Also it immediately results in a situation where every send SQL results in a
Error: Query aborted due to timeout
This makes the session useless for the application/user. This should not be possible.
Reproducible: Always
Steps to Reproduce:
Start mserver5
Start mclient
Execute SQL queries:
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(0);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(-9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Actual Results:
Welcome to mclient, the MonetDB/SQL interactive terminal (unreleased)
Database: MonetDB v11.24.0 (unreleased), 'demo'
Type \q to quit, ? for a list of available commands
auto commit mode: on
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (1.189ms)
sql>
sql>CALL "sys"."settimeout"(9);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 9 |
+--------------+
1 tuple (0.966ms)
sql>
sql>CALL "sys"."settimeout"(0);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (0.802ms)
sql>
sql>CALL "sys"."settimeout"(-9);
Query aborted due to timeout
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Query aborted due to timeout
sql>
Expected Results:
error msg "Illegal timeout value: -9" after: CALL "sys"."settimeout"(-9);
No setting or change of the querytimeout parameter of the current session, such that successive SQL statements are executed normally.
Potentially also
CALL "sys"."settimeout"(9, -10);
and
CALL "sys"."setsession"(-9);
should be protected against calling negative session timeouts.
Date: 2016-10-06 18:08:29 +0200
From: Martin van Dinther <<martin.van.dinther>>
The procedures:
-- control the query and session time out
create procedure sys.settimeout("query" bigint)
external name sql.settimeout;
create procedure sys.settimeout("query" bigint, "session" bigint)
external name sql.settimeout;
create procedure sys.setsession("timeout" bigint)
external name sql.setsession;
are created in file: 22_clients.sql
The text was updated successfully, but these errors were encountered:
Date: 2016-10-06 17:48:39 +0200
From: Martin van Dinther <<martin.van.dinther>>
To: SQL devs <>
Version: 11.23.7 (Jun2016-SP1)
CC: @mlkersten
Last updated: 2016-12-21 13:07:12 +0100
Comment 24467
Date: 2016-10-06 17:48:39 +0200
From: Martin van Dinther <<martin.van.dinther>>
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Build Identifier:
call "sys"."settimeout"(-9) is allowed currently but it should not be allowed.
Also it immediately results in a situation where every send SQL results in a
Error: Query aborted due to timeout
This makes the session useless for the application/user. This should not be possible.
Reproducible: Always
Steps to Reproduce:
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(0);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(-9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Actual Results:
Welcome to mclient, the MonetDB/SQL interactive terminal (unreleased)
Database: MonetDB v11.24.0 (unreleased), 'demo'
Type \q to quit, ? for a list of available commands
auto commit mode: on
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (1.189ms)
sql>
sql>CALL "sys"."settimeout"(9);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 9 |
+--------------+
1 tuple (0.966ms)
sql>
sql>CALL "sys"."settimeout"(0);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (0.802ms)
sql>
sql>CALL "sys"."settimeout"(-9);
Query aborted due to timeout
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Query aborted due to timeout
sql>
Expected Results:
error msg "Illegal timeout value: -9" after: CALL "sys"."settimeout"(-9);
No setting or change of the querytimeout parameter of the current session, such that successive SQL statements are executed normally.
Potentially also
CALL "sys"."settimeout"(9, -10);
and
CALL "sys"."setsession"(-9);
should be protected against calling negative session timeouts.
Comment 24468
Date: 2016-10-06 18:05:10 +0200
From: @mlkersten
I patched the default branch to protect against it.
Comment 24469
Date: 2016-10-06 18:07:01 +0200
From: MonetDB Mercurial Repository <>
Changeset ba5ba134b9e2 made by Martin van Dinther martin.van.dinther@monetdbsolutions.com in the MonetDB repo, refers to this bug.
For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=ba5ba134b9e2
Changeset description:
Comment 24470
Date: 2016-10-06 18:08:29 +0200
From: Martin van Dinther <<martin.van.dinther>>
The procedures:
-- control the query and session time out
create procedure sys.settimeout("query" bigint)
external name sql.settimeout;
create procedure sys.settimeout("query" bigint, "session" bigint)
external name sql.settimeout;
create procedure sys.setsession("timeout" bigint)
external name sql.setsession;
are created in file: 22_clients.sql
The text was updated successfully, but these errors were encountered: