Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39721

wsrep_notify_cmd should sanitize peer-supplied fields before shell substitution

    XMLWordPrintable

Details

    • Can result in unexpected behaviour
    • The wsrep_notify_cmd functionality was susceptible to a parameter-injection vulnerability, as it failed to validate the peer-supplied wsrep_node_name and wsrep_node_incoming_address values before interpolating them into the notification command line.
    • Q2/2026 Replic. Development, Q3/2026 Replic. Maintenance

    Description

      Issue:
      wsrep_notify_status() interpolates members[i].name() (peer's
      wsrep_node_name) and members[i].incoming() verbatim into a command
      string executed via 'sh -c'. A peer joining with shell metacharacters
      in either field can inject arbitrary commands on every cluster member
      that has wsrep_notify_cmd configured. Same threat class as
      MDEV-39413/MDEV-39648 for SST, but the notify path was not covered.

      Solution:
      Validate both fields before substitution; reject values containing
      shell-significant characters and skip the notification, mirroring
      safe() in scripts/wsrep_sst_common.sh.

      Reported by letchu_pkt

      Attachments

        Issue Links

          Activity

            People

              hemantdangi Hemant Dangi
              hemantdangi Hemant Dangi
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0d
                  0d
                  Remaining:
                  Remaining Estimate - 0d
                  0d
                  Logged:
                  Time Spent - 5h
                  5h

                  Git Integration

                    Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.