-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server, sessionctx: add multi statement workaround #22351
Conversation
SQL injection is a high risk, do we have a better way to ensure that user upgrade it? |
To clarify: SQL injection is still possible either way. But the SQL injection cases are much riskier with multi-statement, since you can terminate the existing partial statement and then execute an entirely new statement.
|
Yeah, I understand, thank you! |
/run-all-tests |
dd8ee3f
to
cc366d9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rest LGTM
sessionctx/variable/sysvar.go
Outdated
// Warn means return warnings | ||
Warn = "WARN" | ||
// OffInt is used by TiDBMultiStatementMode | ||
OffInt = 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest you mark a type to OffInt
and the field TiDBMultiStatementMode
itself, like type TiDBMultiStatementModeEnum int
or something else. Then move it closer to the variable field or the handle function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I'll move it.
@@ -1433,7 +1433,19 @@ func (cc *clientConn) handleQuery(ctx context.Context, sql string) (err error) { | |||
|
|||
capabilities := cc.ctx.GetSessionVars().ClientCapability | |||
if capabilities&mysql.ClientMultiStatements < 1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it intended that, if user set multi-statements on, even MultiStatementMode is Warn, the server will not report any error? Or if user set multi-statements on, even MultiStatementMode is Off, the server will continue without errors?
That is, is it intended to put your MultiStatementMode code in the branch of multi-statements disabled
by users/clients?
If it is, is there any way to test cases where multi-statements are enabled by clients?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it intended that, if user set multi-statements on, even MultiStatementMode is Warn, the server will not report any error? Or if user set multi-statements on, even MultiStatementMode is Off, the server will continue without errors?
Correct: If multiStatements are ON or WARN, there is no error. The error is caused by OFF, because multiStatement support is "turned off". This is assuming that the client has not set the multi-statement flag correctly, in which case it is permitted and none of this applies.
That is, is it intended to put your MultiStatementMode code in the branch of multi-statements disabled
by users/clients?
Correct. If they enable multi-statements in their client, I have no issue with it. This flag is only for preserving the upgrade story because TiDB previously ignored the client multi-statement flag.
If it is, is there any way to test cases where multi-statements are enabled by clients?
Yes, there are preexisting tests. See runTestMultiStatements
in server/server_test.go
which started setting this flag correctly from the PR https://github.com/pingcap/tidb/pull/19459/files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for you detailed explanation :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it that a conclusion above?
client multi-statements = on
will pass through the check, otherwise, TiDB will take internal MultiStatementMode into consideration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. Ideally clients would always set this, and we don't have the internal MultiStatementMode check. But per the description, this is a workaround because TiDB only started enforcing the multi-statement check in 4.0.9 and it's been causing users problems.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
You may want to request another team member to review. |
LGTM |
/merge |
/run-all-tests |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-4.0 in PR #22468 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-5.0-rc in PR #22469 |
What problem does this PR solve?
Problem Summary:
v4.0.9 shipped with a fix for a server protocol vulnerability: #19459
It can be worked around by changing client library settings, but that's not always easy given each client library is different. This provides a server workaround as well, which adjusts from an error to a warning by default.
What is changed and how it works?
A new sysvar is added, called
tidb_multi_statement_mode
(scope: SESSION or GLOBAL). The type is anENUM
:OFF
: the MySQL compatible/safest behavior. Multi-statement is not permitted unless the client sets the multi-statement attribute. An error is returned.ON
: Multi-statement is permitted without errors or warnings.WARN
(default): Multi-statement is permitted, but returns a warning.Thus, the "4.0.8 and earlier" behavior can be restored with "ON". The 4.0.9 and 4.0.10 behavior is effectively "OFF".
Both the warning and error message is as follows:
The intention is to change the default from
WARN
back toOFF
in a 4.0-series release in the short future, so users are safe-by-default. In order to do this, SQL client error tracking will have to be added (see #14433 ). This PR ensures that this error uses the unique code of8030
so that deployment tools can check if a user depends on the unsafe behavior before attempting to upgrade them.Related changes
Check List
Tests
Side effects
Release note
COM_QUERY
packet, leading to increased risk of SQL injection. To provide backwards compatibility for applications that depend on this behavior, a new optiontidb_multi_statement_mode
has been added. Assuming you understand the security risks, you can revert to the 4.0.8 by executingSET GLOBAL tidb_multi_statement_mode='ON'
. The default behavior oftidb_multi_statement_mode
also relaxes the error introduced in 4.0.9 to a warning. It is intended to be changed to an error again in a future release.