maria-developers team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Oleksandr!

On Jan 18, Oleksandr Byelkin wrote:
> On 17.01.2016 21:55, Sergei Golubchik wrote:
> > On Jan 17, Oleksandr Byelkin wrote:
> >
> >>>>>>>> +      if (ext_client_capabilities & MARIADB_CLIENT_EXTENDED_FLAGS)
> >>>>>>>> +        client_capabilities|= ext_client_capabilities;
> >>>>>>>> +      else
> >>>>>>>> +      {
> >>>>>>>> +        DBUG_PRINT("error", ("CLIENT_PROTOCOL_41: on, "
> >>>>>>>> +                             "CLIENT_LONG_PASSWORD/CLIENT_MYSQL off, "
> >>>>>>>> +                             "but MARIADB_CLIENT_EXTENDED_FLAGS is off. "
> >>>>>>>> +                             "flags: %llx ext flags %llx",
> >>>>>>>> +                             client_capabilities, ext_client_capabilities));
> >>>>>>>> +        return packet_error;
> >>>>>>> Why do you need that (MARIADB_CLIENT_EXTENDED_FLAGS and the check)?
> >> I meant flag CLIENT_MYSQL. But there is other function, report extended
> >> functionality to client  (clein also can understand that it is mariaDB
> >> server, but the flag alwais set in extended flag area is additional check.
> > I don't understand. What additional safety does this additional check
> > give you?
> 
> We checked the bytes of extended flag and the bit should be ON alway if 
> it is MariaDB.
> 
> It is not so good as some signature but better then nothing (especially 
> taking into account that all bits are 0).

I don't see how that helps.
Normally these bytes are zero-filled in old clients. So all bits are
naturally 0 and you can simply check for capabilities, like

   if (ext_client_capabilities & MARIADB_PROGRESS_REPORT)

because it will just work and deliver correct result. So checking
MARIADB_CLIENT_EXTENDED_FLAGS is unnecessary.

If some broken third-party connector does not zero-fill these bytes,
than your MARIADB_CLIENT_EXTENDED_FLAGS can be set and your check will
simply produce wrong results.

So, either way MARIADB_CLIENT_EXTENDED_FLAGS flag is not needed - it is
sufficient to check for MYSQL_CLIENT flag.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx
-- 
Vote for my Percona Live 2016 talks:
https://www.percona.com/live/data-performance-conference-2016/sessions/mariadb-connectors-fast-and-smart-new-protocol-optimizations#community-voting
https://www.percona.com/live/data-performance-conference-2016/sessions/mariadb-101-security-validation-authentication-encryption#community-voting