server, sessionctx: add multi statement workaround#22351
server, sessionctx: add multi statement workaround#22351ti-srebot merged 8 commits intopingcap:masterfrom
Conversation
|
SQL injection is a high risk, do we have a better way to ensure that user upgrade it? |
To clarify: SQL injection is still possible either way. But the SQL injection cases are much riskier with multi-statement, since you can terminate the existing partial statement and then execute an entirely new statement.
|
Yeah, I understand, thank you! |
|
/run-all-tests |
dd8ee3f to
cc366d9
Compare
sessionctx/variable/sysvar.go
Outdated
| // Warn means return warnings | ||
| Warn = "WARN" | ||
| // OffInt is used by TiDBMultiStatementMode | ||
| OffInt = 0 |
There was a problem hiding this comment.
I would suggest you mark a type to OffInt and the field TiDBMultiStatementMode itself, like type TiDBMultiStatementModeEnum int or something else. Then move it closer to the variable field or the handle function.
| @@ -1433,7 +1433,19 @@ func (cc *clientConn) handleQuery(ctx context.Context, sql string) (err error) { | |||
|
|
|||
| capabilities := cc.ctx.GetSessionVars().ClientCapability | |||
| if capabilities&mysql.ClientMultiStatements < 1 { | |||
There was a problem hiding this comment.
Is it intended that, if user set multi-statements on, even MultiStatementMode is Warn, the server will not report any error? Or if user set multi-statements on, even MultiStatementMode is Off, the server will continue without errors?
That is, is it intended to put your MultiStatementMode code in the branch of multi-statements disabled
by users/clients?
If it is, is there any way to test cases where multi-statements are enabled by clients?
There was a problem hiding this comment.
Is it intended that, if user set multi-statements on, even MultiStatementMode is Warn, the server will not report any error? Or if user set multi-statements on, even MultiStatementMode is Off, the server will continue without errors?
Correct: If multiStatements are ON or WARN, there is no error. The error is caused by OFF, because multiStatement support is "turned off". This is assuming that the client has not set the multi-statement flag correctly, in which case it is permitted and none of this applies.
That is, is it intended to put your MultiStatementMode code in the branch of multi-statements disabled
by users/clients?
Correct. If they enable multi-statements in their client, I have no issue with it. This flag is only for preserving the upgrade story because TiDB previously ignored the client multi-statement flag.
If it is, is there any way to test cases where multi-statements are enabled by clients?
Yes, there are preexisting tests. See runTestMultiStatements in server/server_test.go which started setting this flag correctly from the PR https://github.com/pingcap/tidb/pull/19459/files
There was a problem hiding this comment.
Thanks for you detailed explanation :)
There was a problem hiding this comment.
it that a conclusion above?
client multi-statements = on will pass through the check, otherwise, TiDB will take internal MultiStatementMode into consideration?
There was a problem hiding this comment.
Correct. Ideally clients would always set this, and we don't have the internal MultiStatementMode check. But per the description, this is a workaround because TiDB only started enforcing the multi-statement check in 4.0.9 and it's been causing users problems.
|
You may want to request another team member to review. |
|
LGTM |
|
/merge |
|
/run-all-tests |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
|
cherry pick to release-4.0 in PR #22468 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
|
cherry pick to release-5.0-rc in PR #22469 |
What problem does this PR solve?
Problem Summary:
v4.0.9 shipped with a fix for a server protocol vulnerability: #19459
It can be worked around by changing client library settings, but that's not always easy given each client library is different. This provides a server workaround as well, which adjusts from an error to a warning by default.
What is changed and how it works?
A new sysvar is added, called
tidb_multi_statement_mode(scope: SESSION or GLOBAL). The type is anENUM:OFF: the MySQL compatible/safest behavior. Multi-statement is not permitted unless the client sets the multi-statement attribute. An error is returned.ON: Multi-statement is permitted without errors or warnings.WARN(default): Multi-statement is permitted, but returns a warning.Thus, the "4.0.8 and earlier" behavior can be restored with "ON". The 4.0.9 and 4.0.10 behavior is effectively "OFF".
Both the warning and error message is as follows:
The intention is to change the default from
WARNback toOFFin a 4.0-series release in the short future, so users are safe-by-default. In order to do this, SQL client error tracking will have to be added (see #14433 ). This PR ensures that this error uses the unique code of8030so that deployment tools can check if a user depends on the unsafe behavior before attempting to upgrade them.Related changes
Check List
Tests
Side effects
Release note
COM_QUERYpacket, leading to increased risk of SQL injection. To provide backwards compatibility for applications that depend on this behavior, a new optiontidb_multi_statement_modehas been added. Assuming you understand the security risks, you can revert to the 4.0.8 by executingSET GLOBAL tidb_multi_statement_mode='ON'. The default behavior oftidb_multi_statement_modealso relaxes the error introduced in 4.0.9 to a warning. It is intended to be changed to an error again in a future release.