MariaDB Dump File Compatibility Change
Both MariaDB and MySQL have been around a long time now, and there is always a difficult balance between maintaining compatibility whilst also solving security issues that arise. With the latest bugfix releases of MariaDB, we had to break compatibility a little to improve security, but there are workarounds. We figured we should explain the reasons behind it and how to make things as painless as possible for you.
The Problem
The problem we were solving, and for various reasons we had to do it very quickly, is that it is possible to generate a malicious MariaDB dump file which could execute shell commands from the MariaDB client. The work to prevent this is detailed in MDEV-21178, which essentially comes down to a new “Sandbox Mode”, which is used to disable system commands in the MariaDB client.
MariaDB Client now has an option --sandbox or the MariaDB client prompt command \-. This enables sandbox mode for the rest of the session, until disconnected. Once in sandbox mode, any command that could do something on the shell is disabled.
The second part of this is a small patch to mariadb-dump which adds a command right at the very top of the dump, in a comment, to trigger sandbox mode. It looks like this:
/*!999999\- enable the sandbox mode */The MariaDB and MySQL clients strip this down to the backslash and dash, and then try to execute the internal command with a dash. This is where the problem lies.
Older versions of MariaDB client and all versions of MySQL client do not understand this command, and they will error on it. Here lies the compatibility problem.
If you are importing a dump from a new MariaDB client version into a version that has not had this fix (the latest release of all supported versions are getting this fix), or any version of MySQL, that line will error. Other methods of importing into MariaDB Server, such as using a language’s database connector, will be fine.
Affected Versions
The change is happening / has happened in MariaDB 10.5.25, 10.6.18, 10.11.8, 11.0.6, 11.1.5, 11.2.4 and 11.4.2. So, if you take a dump from these versions and try and import it into an unsupported version, such as 10.4, or an older bugfix version such as 10.5.24, you would hit this problem.
Workarounds
Thankfully, you have many options to avoid this, particularly if you wish to export from MariaDB to import into older versions or MySQL. They are:
- Recommended: Import the dump using the secure client from a version of MariaDB Server that has the change.
- Use an older (insecure) version of mariadb-dump to take the backup.
- Remove the line at backup time with something like
mariadb-dump|tail +2. - Remove the line at import time with something like
tail +2|mariadb.
With this information, you should be able to find a solution that fits your environment if you come across this issue.
Feature image: compatibility by Twm, used under a CC BY-NC-ND licence.
You may also run `sed -i ‘1{/999999.*sandbox/d}’ dump.sql` on the dump file before importing.
Thanks for the post. The workaround of removing the enable the sandbox mode command from the dump at import time worked for me with a tail command inserted between pipes with a modified syntax for tail:
gunzip -c | tail -n +2 | mariadb
Thank you !!
I added the tail command to dump.sh as your writing.
It’s cleared!!
How on earth does breaking any kind of cross-compatibility “fix” anything? A malicious user just won’t include a \- in their dump, or will remove it. I completely fail to see how adding a command added to every non-malicious dump does anything except break stuff.
Hi No,
That is one part of the fix. There is also a command and parameter to enable sandbox mode regardless of that flag. So, if you are concerned, you can force-enable it that way. You could also use a different client that doesn’t parse these commands.
The fix had to be done due to an upstream security bulletin which was not fixed properly upstream. As always, if you do not like the fix, you are welcome to contribute improvements.
As for the breakage, there is a follow-up coming that will do the same behaviour in a non-breaking way.