server: support for client multi-statement option (pingcap#19459) (pi…

…ngcap#20408) Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
bb7133 · Nov 6, 2020 · 0b0c41b · 0b0c41b
1 parent 19d8e37
commit 0b0c41b
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 1 deletion.
diff --git a/server/conn.go b/server/conn.go
@@ -1367,6 +1367,16 @@ func (cc *clientConn) handleQuery(ctx context.Context, sql string) (err error) {
 		if len(rss) == 1 {
 			err = cc.writeResultset(ctx, rss[0], false, 0, 0)
 		} else {
+			// The client gets to choose if it allows multi-statements, and
+			// probably defaults OFF. This helps prevent against SQL injection attacks
+			// by early terminating the first statement, and then running an entirely
+			// new statement.
+
+			capabilities := cc.ctx.GetSessionVars().ClientCapability
+			if capabilities&mysql.ClientMultiStatements < 1 {
+				return errMultiStatementDisabled
+			}
+
 			err = cc.writeMultiResultset(ctx, rss, false)
 		}
 	} else {

diff --git a/server/server.go b/server/server.go
@@ -97,6 +97,7 @@ var (
 	errAccessDenied            = terror.ClassServer.New(errno.ErrAccessDenied, errno.MySQLErrName[errno.ErrAccessDenied])
 	errConCount                = terror.ClassServer.New(errno.ErrConCount, errno.MySQLErrName[errno.ErrConCount])
 	errSecureTransportRequired = terror.ClassServer.New(errno.ErrSecureTransportRequired, errno.MySQLErrName[errno.ErrSecureTransportRequired])
+	errMultiStatementDisabled  = terror.ClassServer.New(errno.ErrUnknown, "client has multi-statement capability disabled") // MySQL returns a parse error
 )
 
 // DefaultCapability is the capability of the server when it is created using the default configuration.

diff --git a/server/server_test.go b/server/server_test.go
@@ -1082,8 +1082,22 @@ func (cli *testServerClient) runTestStatusAPI(c *C) {
 	c.Assert(data.GitHash, Equals, versioninfo.TiDBGitHash)
 }
 
+// The golang sql driver (and most drivers) should have multi-statement
+// disabled by default for security reasons. Lets ensure that the behavior
+// is correct.
+
+func (cli *testServerClient) runFailedTestMultiStatements(c *C) {
+	cli.runTestsOnNewDB(c, nil, "FailedMultiStatements", func(dbt *DBTest) {
+		_, err := dbt.db.Exec("SELECT 1; SELECT 1; SELECT 2; SELECT 3;")
+		c.Assert(err.Error(), Equals, "Error 1105: client has multi-statement capability disabled")
+	})
+}
+
 func (cli *testServerClient) runTestMultiStatements(c *C) {
-	cli.runTestsOnNewDB(c, nil, "MultiStatements", func(dbt *DBTest) {
+
+	cli.runTestsOnNewDB(c, func(config *mysql.Config) {
+		config.Params = map[string]string{"multiStatements": "true"}
+	}, "MultiStatements", func(dbt *DBTest) {
 		// Create Table
 		dbt.mustExec("CREATE TABLE `test` (`id` int(11) NOT NULL, `value` int(11) NOT NULL) ")
 

diff --git a/server/tidb_test.go b/server/tidb_test.go
@@ -314,6 +314,7 @@ func newTLSHttpClient(c *C, caFile, certFile, keyFile string) *http.Client {
 
 func (ts *tidbTestSuite) TestMultiStatements(c *C) {
 	c.Parallel()
+	ts.runFailedTestMultiStatements(c)
 	ts.runTestMultiStatements(c)
 }