Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion mysql-test/suite/galera/suite.pm
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,15 @@ sub skip_combinations {
unless which("qpress");
$skip{'../encryption/include/have_file_key_management_plugin.combinations'} = [ 'ctr' ]
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
and $1 ge "1.0.1";
and $1 ge "1.1.1";

# SSL is complicated
my $ssl_lib= $::mysqld_variables{'version-ssl-library'};
my $openssl_ver= $ssl_lib =~ /OpenSSL (\S+)/ ? $1 : "";

$skip{'t/galera_sst_cn_injection.test'} = 'does not work with OpenSSL <= 1.1.1'
unless $openssl_ver ge "3.0.0";
Comment thread
janlindstrom marked this conversation as resolved.
Comment thread
janlindstrom marked this conversation as resolved.

%skip;
}

Expand Down
1 change: 1 addition & 0 deletions mysql-test/suite/galera/t/galera_sst_cn_injection.test
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
--source include/have_innodb.inc
--source include/have_mariabackup.inc
--source include/have_ssl_communication.inc
--source include/have_openssl.inc

SELECT 1;

Expand Down
22 changes: 18 additions & 4 deletions sql/wsrep_sst.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2040,11 +2040,25 @@ int wsrep_sst_donate(const std::string& msg,
addr= data;
}

if (remote_auth() &&
wsrep_check_request_str(remote_auth(), wsrep_shell_char, true))
if (remote_auth())
{
WSREP_ERROR("Bad remote auth string. SST canceled.");
return WSREP_CB_FAILURE;
/* auth is like localhost:ecee4512990b6a685b5d8df250cb5028 */
std::string auth= remote_auth();
std::string r_user = auth.substr(0, auth.find(":"));
std::string r_pw = auth.substr(auth.find(":")+1, auth.size());
if (!r_user.empty() &&
wsrep_check_request_str(r_user.c_str(), wsrep_filename_char, true))
{
WSREP_ERROR("Bad remote auth string. SST canceled.");
return WSREP_CB_FAILURE;
}
if (!r_pw.empty() &&
wsrep_check_request_str(r_pw.c_str(), wsrep_filename_char, true))
{
WSREP_ERROR("Bad remote auth string. SST canceled.");
return WSREP_CB_FAILURE;
}

}

if (wsrep_check_request_str(addr, wsrep_address_char, true))
Expand Down
7 changes: 0 additions & 7 deletions sql/wsrep_utils.cc
Original file line number Diff line number Diff line change
Expand Up @@ -619,13 +619,6 @@ bool wsrep_address_char(const unsigned char c)
(c == ':') || (c == '[') || (c == ']') || (c == '/');
}

bool wsrep_shell_char(const unsigned char c)
{
return (c != '`') && (c != '\'') && (c != '$') &&
(c != ' ') && (c != '\t') && (c != '\n') &&
(c != '\r') && (c != '\v') && (c != '\f');
}

/* return true if character can be a part of an address string list */
bool wsrep_names_list(const unsigned char c)
{
Expand Down
1 change: 0 additions & 1 deletion sql/wsrep_utils.h
Original file line number Diff line number Diff line change
Expand Up @@ -428,7 +428,6 @@ class critical
bool wsrep_filename_char(const unsigned char c);
bool wsrep_comma_char(const unsigned char c);
bool wsrep_address_char(const unsigned char c);
bool wsrep_shell_char(const unsigned char c);
bool wsrep_names_list(const unsigned char c);
bool wsrep_check_request_str(const char* const str,
bool (*check) (const unsigned char),
Expand Down