WL#16482: mysqldump blindly trusting SHOW CREATE TABLE leads

  to arbitrary code execution.

The 8.0 version.

Introduced a --[skip-]system-command command line/config file option
for the mysql binary.
Type: boolean
Default: ON, can be turned off with --skip-system-command

When --skip-system-command is specified and a system command or the
abbreviated \! is specified, an error will be printed and the command
won't be executed.

Test case added.

Change-Id: I46e8f3cc8e8a6aa37f8374c04a87177604cd124e

Author: gkodinov

client/mysql.cc

@@ -400,7 +400,8 @@ static COMMANDS commands[] = {
      "Execute an SQL script file. Takes a file name as an argument."},
     {"status", 's', com_status, false,
      "Get status information from the server."},
-    {"system", '!', com_shell, true, "Execute a system shell command."},
+    {"system", '!', com_shell, true,
+     "Execute a system shell command, if enabled"},
     {"tee", 'T', com_tee, true,
      "Set outfile [to_outfile]. Append everything into given outfile."},
     {"use", 'u', com_use, true,
@@ -1645,6 +1646,8 @@ void window_resize(int) {
 }
 #endif
 
+static bool opt_system_command = true;
+
 static struct my_option my_long_options[] = {
     {"help", '?', "Display this help and exit.", nullptr, nullptr, nullptr,
      GET_NO_ARG, NO_ARG, 0, 0, 0, nullptr, 0, nullptr},
@@ -1969,6 +1972,10 @@ static struct my_option my_long_options[] = {
      &opt_oci_config_file, &opt_oci_config_file, nullptr, GET_STR, REQUIRED_ARG,
      0, 0, 0, nullptr, 0, nullptr},
 #include "authentication_kerberos_clientopt-longopts.h"
+    {"system-command", 0,
+     "Enable (by default) or disable the system mysql command.",
+     &opt_system_command, &opt_system_command, nullptr, GET_BOOL, NO_ARG, 1, 0,
+     0, nullptr, 0, nullptr},
     {nullptr, 0, nullptr, nullptr, nullptr, nullptr, GET_NO_ARG, NO_ARG, 0, 0,
      0, nullptr, 0, nullptr}};
 
@@ -4128,6 +4135,13 @@ static int com_shell(String *buffer [[maybe_unused]],
     put_info("Usage: \\! shell-command", INFO_ERROR);
     return -1;
   }
+
+  if (!opt_system_command) {
+    return put_info(
+        "'system' command received, but the --system-command option is off. "
+        "Skipping.",
+        INFO_ERROR);
+  }
   /*
     The output of the shell command does not
     get directed to the pager or the outfile

mysql-test/r/mysql.result

@@ -555,5 +555,13 @@ include/assert_grep.inc [look for query_attributes in help]
 #
 # Success criteria: port number present in the error text
 ERROR 2003 (HY000): Can't connect to MySQL server on '127.0.0.1:99999' (XXX)
+#
+# Bug # 36377685: mysqldump blindly trusting SHOW CREATE TABLE leads to
+#   arbitrary code execution.
+#
+# Test "system": Must return an error
+ERROR at line 1: 'system' command received, but the --system-command option is off. Skipping.
+# Test "!": Must return an error
+ERROR at line 1: 'system' command received, but the --system-command option is off. Skipping.
 
 End of tests

mysql-test/t/mysql.test

@@ -1,4 +1,5 @@
-#
+
+
 # Testing the MySQL command line client(mysql)
 #
 
@@ -687,5 +688,18 @@ DROP USER bug21464621;
 --error 1
 --exec $MYSQL -h 127.0.0.1 -P 99999 2>&1
 
+--echo #
+--echo # Bug # 36377685: mysqldump blindly trusting SHOW CREATE TABLE leads to
+--echo #   arbitrary code execution.
+--echo #
+
+--echo # Test "system": Must return an error
+--error 1
+--exec $MYSQL test --skip-system-command -e "system ls;" 2>&1
+ 
+--echo # Test "!": Must return an error
+--error 1
+--exec $MYSQL test --skip-system-command -e "\\! ls" 2>&1
+
 --echo
 --echo End of tests