Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
13.0
-
Can result in unexpected behaviour
-
A parameter-injection gap existed in wsrep_sst_rsync because it failed to validate the joiner-supplied WSREP_SST_OPT_REMOTE_USER and WSREP_SST_OPT_REMOTE_PSWD values before interpolating them into the donor-written stunnel.conf and the rsync magic file.
-
Q2/2026 Replic. Development, Q3/2026 Replic. Maintenance
Description
Issue:
wsrep_sst_rsync.sh interpolated WSREP_SST_OPT_REMOTE_USER and
WSREP_SST_OPT_REMOTE_PSWD verbatim. Because both values originate from
the joiner side of the SST request, a newline in either could splice
an extra directive into the donor-written stunnel.conf (silently
downgrading peer-cert verification) or an extra line into the rsync
magic file. MDEV-39413 had introduced safe() for the same threat class
in wsrep_sst_mariabackup but did not extend it to the rsync script.
Solution:
Routing the rsync interpolations through safe() closes the gap, and
extending safe() to also reject tab and newline ensures multi-line
values cannot survive into a config-file heredoc.
Attachments
Issue Links
- relates to
-
MDEV-39612 Galera Cluster-peer > Donor command execution
-
- Closed
-
-
MDEV-39676 Galera Cluster-peer > Donor command execution
-
- Closed
-
-
MDEV-39721 wsrep_notify_cmd should sanitize peer-supplied fields before shell substitution
-
- Closed
-
- links to