diff --git a/mysql-test/suite/galera/suite.pm b/mysql-test/suite/galera/suite.pm index 55cdde373c51f..bb0f230eb7a22 100644 --- a/mysql-test/suite/galera/suite.pm +++ b/mysql-test/suite/galera/suite.pm @@ -83,7 +83,15 @@ sub skip_combinations { unless which("qpress"); $skip{'../encryption/include/have_file_key_management_plugin.combinations'} = [ 'ctr' ] unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ - and $1 ge "1.0.1"; + and $1 ge "1.1.1"; + + # SSL is complicated + my $ssl_lib= $::mysqld_variables{'version-ssl-library'}; + my $openssl_ver= $ssl_lib =~ /OpenSSL (\S+)/ ? $1 : ""; + + $skip{'t/galera_sst_cn_injection.test'} = 'does not work with OpenSSL <= 1.1.1' + unless $openssl_ver ge "3.0.0"; + %skip; } diff --git a/mysql-test/suite/galera/t/galera_sst_cn_injection.test b/mysql-test/suite/galera/t/galera_sst_cn_injection.test index 8458e6fe4b3b5..2a62dee56869e 100644 --- a/mysql-test/suite/galera/t/galera_sst_cn_injection.test +++ b/mysql-test/suite/galera/t/galera_sst_cn_injection.test @@ -9,6 +9,7 @@ --source include/have_innodb.inc --source include/have_mariabackup.inc --source include/have_ssl_communication.inc +--source include/have_openssl.inc SELECT 1; diff --git a/sql/wsrep_sst.cc b/sql/wsrep_sst.cc index 5fd81bec2c4cf..aa32b237b5f1e 100644 --- a/sql/wsrep_sst.cc +++ b/sql/wsrep_sst.cc @@ -2040,11 +2040,25 @@ int wsrep_sst_donate(const std::string& msg, addr= data; } - if (remote_auth() && - wsrep_check_request_str(remote_auth(), wsrep_shell_char, true)) + if (remote_auth()) { - WSREP_ERROR("Bad remote auth string. SST canceled."); - return WSREP_CB_FAILURE; + /* auth is like localhost:ecee4512990b6a685b5d8df250cb5028 */ + std::string auth= remote_auth(); + std::string r_user = auth.substr(0, auth.find(":")); + std::string r_pw = auth.substr(auth.find(":")+1, auth.size()); + if (!r_user.empty() && + wsrep_check_request_str(r_user.c_str(), wsrep_filename_char, true)) + { + WSREP_ERROR("Bad remote auth string. SST canceled."); + return WSREP_CB_FAILURE; + } + if (!r_pw.empty() && + wsrep_check_request_str(r_pw.c_str(), wsrep_filename_char, true)) + { + WSREP_ERROR("Bad remote auth string. SST canceled."); + return WSREP_CB_FAILURE; + } + } if (wsrep_check_request_str(addr, wsrep_address_char, true)) diff --git a/sql/wsrep_utils.cc b/sql/wsrep_utils.cc index 1cb4fcfb562ae..e8a4c3566599b 100644 --- a/sql/wsrep_utils.cc +++ b/sql/wsrep_utils.cc @@ -619,13 +619,6 @@ bool wsrep_address_char(const unsigned char c) (c == ':') || (c == '[') || (c == ']') || (c == '/'); } -bool wsrep_shell_char(const unsigned char c) -{ - return (c != '`') && (c != '\'') && (c != '$') && - (c != ' ') && (c != '\t') && (c != '\n') && - (c != '\r') && (c != '\v') && (c != '\f'); -} - /* return true if character can be a part of an address string list */ bool wsrep_names_list(const unsigned char c) { diff --git a/sql/wsrep_utils.h b/sql/wsrep_utils.h index 9d66519c7deab..1c58026fd540c 100644 --- a/sql/wsrep_utils.h +++ b/sql/wsrep_utils.h @@ -428,7 +428,6 @@ class critical bool wsrep_filename_char(const unsigned char c); bool wsrep_comma_char(const unsigned char c); bool wsrep_address_char(const unsigned char c); -bool wsrep_shell_char(const unsigned char c); bool wsrep_names_list(const unsigned char c); bool wsrep_check_request_str(const char* const str, bool (*check) (const unsigned char),