[MDEV-13921] Audit log writes invalid SQL if single-line comments are present Created: 2017-09-27  Updated: 2017-11-03  Resolved: 2017-11-03

Status: Closed
Project: MariaDB Server
Component/s: Plugin - Audit
Affects Version/s: 5.5, 10.0, 10.1, 10.1.25, 10.2.8, 10.2
Fix Version/s: 10.1.19

Type: Bug Priority: Major
Reporter: Karoline Assignee: Alexey Botchkov
Resolution: Fixed Votes: 0
Labels: None

Sprint: 10.1.29

 Description   

Since the query lines get joined, single-line comments cause the rest of the line to be ignored.

Reproduction:

In [1]: from pymysql import connect   # pymysql 0.7.11                                                                                                                                                                       
                                                                                                                                                                                                                     
In [2]: conn = connect(unix_socket='/run/mysqld/mysqld.sock')                                                                                                                                                        
                                                                                                                                                                                                                     
In [3]: c = conn.cursor()                                                                                                                                                                                            
                                                                                                                                                                                                                     
In [4]: c.execute('''SELECT 1,                                                                                                                                                                                       
   ...: -- Single-line comment                                                                                                                                                                                       
   ...: 2;''')                                                                                                                                                                                                       
Out[4]: 1                                                                                                                                                                                                            
                                                                                                                                                                                                                     
In [5]: c.execute('''SELECT 1,                                                                                                                                                                                       
   ...: # Single-line comment                                                                                                                                                                                        
   ...: 2;''')
 
Out[5]: 1

Resulting log:

20170925 15:23:24,hostname,username,localhost,38,141,QUERY,,'SELECT 1, -- Single-line comment 2',0
 
20170925 15:23:28,hostname,username,localhost,38,142,QUERY,,'SELECT 1, # Single-line comment 2',0

Cause:
https://github.com/MariaDB/server/blob/fd2c5d19d0f0eeb054d18d4455d3ad28dd680219/plugin/server_audit/server_audit.c#L1346
https://github.com/MariaDB/server/blob/fd2c5d19d0f0eeb054d18d4455d3ad28dd680219/plugin/server_audit/server_audit.c#L1111

Solution
A) Skip comments (defeats the purpose of the audit log to some degree)
B) Log queries with escaped newlines (or better - all special characters).

B seems better.

 Comments   
Comment by Alexey Botchkov [ 2017-11-03 ]

http://lists.askmonty.org/pipermail/commits/2017-November/011605.html

Comment by Alexey Botchkov [ 2017-11-03 ]

http://lists.askmonty.org/pipermail/commits/2017-November/011606.html

Generated at Thu Feb 08 08:09:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.