[MDEV-20466] SHOW PROCESSLIST truncates query text on \0 bytes - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3.17, 10.4.7, 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.28, 5.5.66, 10.1.42, 10.3.19, 10.4.9
Component/s: OTHER
Labels:
None

Description

When executing a query with a NUL byte ('\0') in it, SHOW PROCESSLIST will just show the query up to that byte, hiding the rest of the query. In the slow query log, on the other hand,
the full query is shown, and the NUL byte encoded as '^@'.

This can be used by a malicious user to try to hide SQL injection attacks.

<?php

$db = mysqli_connect("127.0.0.1", "root", "", "test");

$query = "SELECT user FROM mysql.user WHERE user = 'root\0' OR SLEEP(100)";

$db->query($query);

?>

> show full processlist;

+----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+

| Id | User        | Host            | db   | Command | Time | State                    | Info                                           | Progress |

+----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+

[...]

| 17 | root        | localhost:41928 | NULL | Query   |    0 | Init                     | show full processlist                          |    0.000 |

| 18 | root        | localhost:41930 | test | Query   |    2 | User sleep               | SELECT user FROM mysql.user WHERE user = 'root |    0.000 |

+----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+

Time                Id Command  Argument

# Time: 190902 12:22:03

# User@Host: root[root] @ localhost [127.0.0.1]

# Thread_id: 18  Schema: test  QC_hit: No

# Query_time: 300.028394  Lock_time: 0.001831  Rows_sent: 0  Rows_examined: 3

# Rows_affected: 0  Bytes_sent: 70

use test;

SET timestamp=1567419723;

SELECT user FROM mysql.user WHERE user = 'root^@' OR SLEEP(100);

Attachments

Issue Links

causes

MDEV-21462 main.processlist_notembedded fails to clean up, causes perfschema test failures

Closed

relates to

MDEV-22513 main.processlist_notembedded fails in buildbot with Timeout in wait_until_count_sessions

Closed

Activity

Ascending order - Click to sort in descending order

Hartmut Holzgraefe created issue - 2019-09-02 10:31

Hartmut Holzgraefe made changes - 2019-09-02 10:32

Field	Original Value	New Value
Description	When executing a query with a NUL byte ('\0') in it, SHOW PROCESSLIST will just show the query up to that byte, hiding the rest of the query. In the slow query log, on the other hand, the full query is shown, and the NUL byte encoded as '^@'. This can be used by a malicious user to try to hide SQL injection attacks. {noformat} <?php $db = mysqli_connect("127.0.0.1", "root", "", "test"); $query = "SELECT user FROM mysql.user WHERE user = 'root\0' OR SLEEP(100)"; $db->query($query); ?> {noforomat} {noformat} > show full processlist; +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+ \| Id \| User \| Host \| db \| Command \| Time \| State \| Info \| Progress \| +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+ [...] \| 17 \| root \| localhost:41928 \| NULL \| Query \| 0 \| Init \| show full processlist \| 0.000 \| \| 18 \| root \| localhost:41930 \| test \| Query \| 2 \| User sleep \| SELECT user FROM mysql.user WHERE user = 'root \| 0.000 \| +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+ {noformat} {noformat} Time Id Command Argument # Time: 190902 12:22:03 # User@Host: root[root] @ localhost [127.0.0.1] # Thread_id: 18 Schema: test QC_hit: No # Query_time: 300.028394 Lock_time: 0.001831 Rows_sent: 0 Rows_examined: 3 # Rows_affected: 0 Bytes_sent: 70 use test; SET timestamp=1567419723; SELECT user FROM mysql.user WHERE user = 'root^@' OR SLEEP(100); {noformat}	When executing a query with a NUL byte ('\0') in it, SHOW PROCESSLIST will just show the query up to that byte, hiding the rest of the query. In the slow query log, on the other hand, the full query is shown, and the NUL byte encoded as '^@'. This can be used by a malicious user to try to hide SQL injection attacks. {noformat} <?php $db = mysqli_connect("127.0.0.1", "root", "", "test"); $query = "SELECT user FROM mysql.user WHERE user = 'root\0' OR SLEEP(100)"; $db->query($query); ?> {noformat} {noformat} > show full processlist; +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+ \| Id \| User \| Host \| db \| Command \| Time \| State \| Info \| Progress \| +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+ [...] \| 17 \| root \| localhost:41928 \| NULL \| Query \| 0 \| Init \| show full processlist \| 0.000 \| \| 18 \| root \| localhost:41930 \| test \| Query \| 2 \| User sleep \| SELECT user FROM mysql.user WHERE user = 'root \| 0.000 \| +----+-------------+-----------------+------+---------+------+--------------------------+------------------------------------------------+----------+ {noformat} {noformat} Time Id Command Argument # Time: 190902 12:22:03 # User@Host: root[root] @ localhost [127.0.0.1] # Thread_id: 18 Schema: test QC_hit: No # Query_time: 300.028394 Lock_time: 0.001831 Rows_sent: 0 Rows_examined: 3 # Rows_affected: 0 Bytes_sent: 70 use test; SET timestamp=1567419723; SELECT user FROM mysql.user WHERE user = 'root^@' OR SLEEP(100); {noformat}

Alice Sherepa made changes - 2019-09-02 11:06

Affects Version/s		10.0 [ 16000 ]
Affects Version/s		10.1 [ 16100 ]
Affects Version/s		10.2 [ 14601 ]
Affects Version/s		10.3 [ 22126 ]
Affects Version/s		10.4 [ 22408 ]

Alice Sherepa made changes - 2019-09-02 11:14

Affects Version/s

5.5 [ 15800 ]

Alice Sherepa made changes - 2019-09-02 11:19

Fix Version/s		5.5 [ 15800 ]
Fix Version/s		10.0 [ 16000 ]
Fix Version/s		10.1 [ 16100 ]
Fix Version/s		10.2 [ 14601 ]
Fix Version/s		10.3 [ 22126 ]
Fix Version/s		10.4 [ 22408 ]

Alice Sherepa made changes - 2019-09-02 11:23

Status

Open [ 1 ]

Confirmed [ 10101 ]

Alice Sherepa made changes - 2019-09-02 11:23

Assignee

Oleksandr Byelkin [ sanja ]

Oleksandr Byelkin made changes - 2019-09-03 14:51

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Oleksandr Byelkin made changes - 2019-10-15 11:55

Component/s		OTHER [ 10125 ]
Fix Version/s		5.5.66 [ 23403 ]
Fix Version/s		10.1.42 [ 23407 ]
Fix Version/s		10.2.28 [ 23910 ]
Fix Version/s		10.3.19 [ 23908 ]
Fix Version/s		10.4.9 [ 23906 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	5.5 [ 15800 ]
Fix Version/s	10.0 [ 16000 ]
Fix Version/s	10.1 [ 16100 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Marko Mäkelä made changes - 2020-01-13 13:02

Link

This issue causes ~~MDEV-21462~~ [ ~~MDEV-21462~~ ]

Marko Mäkelä made changes - 2020-05-11 07:22

Link

This issue relates to ~~MDEV-22513~~ [ ~~MDEV-22513~~ ]

Sergei Golubchik made changes - 2021-12-06 21:50

Workflow

MariaDB v3 [ 99357 ]

MariaDB v4 [ 156688 ]

Jira Automation (IT) made changes - 2024-07-04 03:43

Zendesk Related Tickets

136292

People

Assignee:: Oleksandr Byelkin

Reporter:: Hartmut Holzgraefe

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-09-02 10:31

Updated:: 2024-07-07 22:33

Resolved:: 2019-10-15 11:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server