MariaDB Client now has an option --sandbox or the MariaDB client prompt command -. This enables sandbox mode for the rest of the session, until disconnected. Once in sandbox mode, any command that could do something on the shell is disabled.

The Problem

The problem we were solving, and for various reasons we had to do it very quickly, is that it is possible to generate a malicious MariaDB dump file which could execute shell commands from the MariaDB client. The work to prevent this is detailed in MDEV-21178, which essentially comes down to a new “Sandbox Mode”, which is used to disable system commands in the MariaDB client.

The change is happening / has happened in MariaDB 10.5.25, 10.6.18, 10.11.8, 11.0.6, 11.1.5, 11.2.4 and 11.4.2. So, if you take a dump from these versions and try and import it into an unsupported version, such as 10.4, or an older bugfix version such as 10.5.24, you would hit this problem.

With this information, you should be able to find a solution that fits your environment if you come across this issue.

Feature image: compatibility by Twm, used under a CC BY-NC-ND licence.

Thankfully, you have many options to avoid this, particularly if you wish to export from MariaDB to import into older versions or MySQL. They are:

The second part of this is a small patch to mariadb-dump which adds a command right at the very top of the dump, in a comment, to trigger sandbox mode. It looks like this:

Affected Versions

Older versions of MariaDB client and all versions of MySQL client do not understand this command, and they will error on it. Here lies the compatibility problem.

Workarounds

/*!999999- enable the sandbox mode */

Both MariaDB and MySQL have been around a long time now, and there is always a difficult balance between maintaining compatibility whilst also solving security issues that arise. With the latest bugfix releases of MariaDB, we had to break compatibility a little to improve security, but there are workarounds. We figured we should explain the reasons behind it and how to make things as painless as possible for you.

If you are importing a dump from a new MariaDB client version into a version that has not had this fix (the latest release of all supported versions are getting this fix), or any version of MySQL, that line will error. Other methods of importing into MariaDB Server, such as using a language’s database connector, will be fine.

Similar Posts