When the client program had its stdout file descriptor closed by the calling
shell, after some amount of work (enough to fill a socket buffer) the server
would complain about a packet error and then disconnect the client.
This is a serious security problem. If stdout is closed before the mysql is
exec()d, then the first socket() call allocates file number 1 to communicate
with the server. Subsequent write()s to that file number (as when printing
results that come back from the database) go back to the server instead in
the command channel. So, one should be able to craft data which, upon being
selected back from the server to the client, and injected into the command
stream become valid MySQL protocol to do something nasty when sent /back/ to
the server.
The solution is to close explicitly the file descriptor that we *printf() to,
so that the libc layer and the OS layer both agree that the file is closed.
Fix: "mysql --xml" now print NULL values the same way that "mysqldump --xml" does:
<field name="name" xsi:nil="true" />
to distinguish from empty strings:
<field name="name"></field>
and from string "NULL":
<field name="name">NULL</field>
The column's NOT NULL flag doesn't affect what we should print. Remove the
wrong logic that does check it.
Also, verify that this and the previous two tests print the same data as
other output formats.
The mysql client uses the default character set on reconnect. The default character set is now controled by the client charset command while the client is running. The charset command now also issues a SET NAMES command to the server to make sure that the client's charset settings are in sync with the server's.
SIGINT is handled in funny ways on windows, which could lead to problems when
Control-C was pressed in the client during a long-running query. Now Control-C
during a query aborts that query (by sending KILL to the server on a second
connexion), while Control-C outside of a running query terminates the client.
"I want to have the current delimiter in the prompt so that I can know at
a glance which is set."
Add a 'l' format specifier that represents the current statement delimiter.
Old option ordering in the help was confusing to some users. Changed
ordering of deprecated options to be consistent, and added mention to
entry for options with a "--no-option" variant mentioning the
"--disable-option" variant.
do not look for client-specific commands while inside a multi-line comment.
we will allow multi-comments pretty much anywhere within SQL-statements,
but client-specific commands (help, use, print, ...) must be the first token
in the input.
Using \U or \u in a prompt with the mysql command-line client could
crash when connecting to the instance manager, since it does not return
information about the user when asked by the client. This is fixed by
having the client use what it knowns about the user (or giving up and
saying "(unknown)").
The problem happened because "mysql" didn't send mysql_select_db() if
the current active database was specified in USE.
Now it always send mysql_select_db().
Rebuilding of completion hash is skipped in the same db is used
(for performance purposes).
Correct a bug (that I introduced, after using Oracle's database software for
too many years) where the length of the database-sent data is incorrectly
used to infer NULLness.
- Add new function 'ssl_verify_server_cert' which is used if we are
connecting to the server with SSL. It will compare the hostname in
the server's cert against the hostname that we used when connecting
to the server. Will reject the connection if hostname does not match.
- Add new option "OPT_SSL_VERIFY_SERVER_CERT" to be passed to mysql_options
which will turn on checking of servers cert.
- Add new argument "ssl-verify-server-cert" to all mysql* clients which
will activate the above option.
- Generate a new server cert with 1024 bits that has "localhost" as the server name.
