Bug#35304195: ssl_session_data_print creates world readable files by default

When the ssl_session_data_print mysql client command is being output
to file, the result file is created as world readable.

The solution is to create file with 0600 access permission,
instead of using the existing 0644 default.

Solution is Unix specific, behaviour stays the same on Windows
due to missing group|other permissions concept for this platform
within the MySQL posix wrappers.

Change-Id: I0e9f8040c0f0dd01e46631cab32b56dc9fc451e6

Author: MRajcic

client/mysql.cc

@@ -4617,34 +4617,42 @@ static int com_ssl_session_data_print(String *buffer [[maybe_unused]],
   char msgbuf[256];
   char *param = get_arg(line, false);
   const char *err_text = nullptr;
-  FILE *fo = nullptr;
-  void *data = nullptr;
+  File fo = -1;
+  char *data = nullptr;
+  const bool use_outfile = (param != nullptr);
 
-  if (param) {
-    if (nullptr == (fo = fopen(param, "w"))) {
+  if (use_outfile) {
+    // result file is access protected (0600)
+    const MY_MODE file_creation_mode = get_file_perm(USER_READ | USER_WRITE);
+    const int access_flags = O_WRONLY | O_TRUNC | O_CREAT;
+
+    fo = my_create(param, file_creation_mode, access_flags, MYF(0));
+    if (fo == -1) {
       err_text = "Failed to open the output file";
       goto end;
     }
-  } else
-    fo = stdout;
+  } else {
+    fo = my_fileno(stdout);
+  }
 
-  data = mysql_get_ssl_session_data(&mysql, 0, nullptr);
+  data =
+      reinterpret_cast<char *>(mysql_get_ssl_session_data(&mysql, 0, nullptr));
   if (!data) {
     err_text = nullptr;
     put_error(&mysql);
     goto end;
   }
-  if (0 > fputs(reinterpret_cast<char *>(data), fo)) {
+  if (my_write(fo, (uchar *)data, strlen(data), MYF(0)) == MY_FILE_ERROR) {
     snprintf(msgbuf, sizeof(msgbuf), "Write of session data failed: %d (%s)",
              errno, strerror(errno));
     err_text = &msgbuf[0];
     goto end;
   }
-  if (fo == stdout) fputs("\n", fo);
+  if (!use_outfile && fo != -1) my_write(fo, (const uchar *)"\n", 1, MYF(0));
 
 end:
   if (data) mysql_free_ssl_session_data(&mysql, data);
-  if (fo && fo != stdout) fclose(fo);
+  if (use_outfile && fo != -1) (void)my_close(fo, MYF(0));
   if (err_text) return put_info(err_text, INFO_ERROR);
   return 0;
 }

mysql-test/r/client_ssl_data_print.result

@@ -0,0 +1,3 @@
+#
+# Bug#35304195: ssl_session_data_print creates world readable files by default
+#

mysql-test/t/client_ssl_data_print.test

@@ -0,0 +1,19 @@
+--echo #
+--echo # Bug#35304195: ssl_session_data_print creates world readable files by default
+--echo #
+
+--source include/not_windows.inc
+
+# print SSL session .pem contents to file
+let SESSION_FILE=$MYSQLTEST_VARDIR/tmp/ssldata.pem;
+exec $MYSQL --ssl-mode=required -e "ssl_session_data_print $SESSION_FILE" 2>&1 > /dev/null;
+
+# assert the file has correct access permissions (0600)
+--perl
+use strict;
+my $mode = (stat($ENV{SESSION_FILE}))[2];
+my $perm = sprintf "%04o", ($mode & 07777);
+die "Invalid permission $perm for $ENV{SESSION_FILE}" unless $perm == '0600';
+EOF
+
+--remove_file $SESSION_FILE