Both MariaDB and MySQL have been around a long time now, and there is always a difficult balance between maintaining compatibility whilst also solving security issues that arise. With the latest bugfix releases of MariaDB, we had to break compatibility a little to improve security, but there are workarounds. We figured we should explain the reasons behind it and how to make things as painless as possible for you.

The Problem

The problem we were solving, and for various reasons we had to do it very quickly, is that it is possible to generate a malicious MariaDB dump file which could execute shell commands from the MariaDB client. The work to prevent this is detailed in MDEV-21178, which essentially comes down to a new “Sandbox Mode”, which is used to disable system commands in the MariaDB client.

MariaDB Client now has an option --sandbox or the MariaDB client prompt command -. This enables sandbox mode for the rest of the session, until disconnected. Once in sandbox mode, any command that could do something on the shell is disabled.

The second part of this is a small patch to mariadb-dump which adds a command right at the very top of the dump, in a comment, to trigger sandbox mode. It looks like this:

/*!999999- enable the sandbox mode */

The MariaDB and MySQL clients strip this down to the backslash and dash, and then try to execute the internal command with a dash. This is where the problem lies.

Older versions of MariaDB client and all versions of MySQL client do not understand this command, and they will error on it. Here lies the compatibility problem.

If you are importing a dump from a new MariaDB client version into a version that has not had this fix (the latest release of all supported versions are getting this fix), or any version of MySQL, that line will error. Other methods of importing into MariaDB Server, such as using a language’s database connector, will be fine.

Affected Versions

The change is happening / has happened in MariaDB 10.5.25, 10.6.18, 10.11.8, 11.0.6, 11.1.5, 11.2.4 and 11.4.2. So, if you take a dump from these versions and try and import it into an unsupported version, such as 10.4, or an older bugfix version such as 10.5.24, you would hit this problem.

Workarounds

Thankfully, you have many options to avoid this, particularly if you wish to export from MariaDB to import into older versions or MySQL. They are:

  • Recommended: Import the dump using the secure client from a version of MariaDB Server that has the change.
  • Use an older (insecure) version of mariadb-dump to take the backup.
  • Remove the line at backup time with something like mariadb-dump|tail +2.
  • Remove the line at import time with something like tail +2|mariadb.

With this information, you should be able to find a solution that fits your environment if you come across this issue.

Feature image: compatibility by Twm, used under a CC BY-NC-ND licence.

Similar Posts