Details
-
New Feature
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
1.0.0
-
None
-
Linux
-
2017-31
Description
This is imported from bugzilla item: http://bugs.mariadb.com/show_bug.cgi?id=553
The fix version in bugzilla shows "commit 5cfbfe39ac942e406de719612257ef797dca9c7f"
Hartmut Holzgraefe 2014-09-22 18:15:46 UTC
After parsing options maxadmin takes the remaining command line argument(s), first checks if these match a readable file name and executes commands from this file, or takes the extra argument(s) as literal maxadmin commands ...
Problem is that a file name can be the same as a maxadmin command, e.g.:
echo list clients > list\ servers
maxadmin ... list servers
will list clients, not servers, as "list servers" is now a valid, readable file ....
While it's unlikely that someone names files like this by accident it may be an attack vector for maliciously changing the behaviour of maxscale invocations with comdline commands ...
proposed fix:
1) either have an explicit "f|-command-file FILENAME" option
2) or do not support giving a file name at all, just rely on input redirection, e.g.:
maxadmin ... < cmdfile.txt
instead of
maxadmin ... cmdfile.txt
The "mysql" command line client takes the 2nd approach, so that's probably what
maxadmin should be doing, too?