Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20466

SHOW PROCESSLIST truncates query text on \0 bytes

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 10.3.17, 10.4.7, 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
    • 10.2.28, 5.5.66, 10.1.42, 10.3.19, 10.4.9
    • OTHER
    • None

    Description

      When executing a query with a NUL byte ('\0') in it, SHOW PROCESSLIST will just show the query up to that byte, hiding the rest of the query. In the slow query log, on the other hand,
      the full query is shown, and the NUL byte encoded as '^@'.

      This can be used by a malicious user to try to hide SQL injection attacks.

      <?php
      		 
      $db = mysqli_connect("127.0.0.1", "root", "", "test");
      		 
      $query = "SELECT user FROM mysql.user WHERE user = 'root\0' OR SLEEP(100)";
      		 
      $db->query($query);
      		 
      ?>


      > show full processlist;
      		 
      +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+
      		 
      | Id | User        | Host            | db   | Command | Time | State                    | Info                                           | Progress |
      		 
      +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+
      		 
      [...]
      		 
      | 17 | root        | localhost:41928 | NULL | Query   |    0 | Init                     | show full processlist                          |    0.000 |
      		 
      | 18 | root        | localhost:41930 | test | Query   |    2 | User sleep               | SELECT user FROM mysql.user WHERE user = 'root |    0.000 |
      		 
      +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+


      Time                Id Command  Argument
      		 
      # Time: 190902 12:22:03
      		 
      # User@Host: root[root] @ localhost [127.0.0.1]
      		 
      # Thread_id: 18  Schema: test  QC_hit: No
      		 
      # Query_time: 300.028394  Lock_time: 0.001831  Rows_sent: 0  Rows_examined: 3
      		 
      # Rows_affected: 0  Bytes_sent: 70
      		 
      use test;
      		 
      SET timestamp=1567419723;
      		 
      SELECT user FROM mysql.user WHERE user = 'root^@' OR SLEEP(100);

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21462 main.processlist_notembedded fails to clean up, causes perfschema test failures

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22513 main.processlist_notembedded fails in buildbot with Timeout in wait_until_count_sessions

          • Major - Major loss of function.
          • Closed

          Activity

            Transition Time In Source Status Execution Times
            Alice Sherepa made transition -
            Open Confirmed
            		51m 55s 1
            Oleksandr Byelkin made transition -
            Confirmed In Progress
            		1d 3h 28m 1
            Oleksandr Byelkin made transition -
            In Progress Closed
            		41d 21h 3m 1

            People

              sanja Oleksandr Byelkin
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.