MDEV-21778 Disable system commands in mysql/mariadb client

mysql --sandbox disables system (\!), tee (\T), pager with an argument(\P foo), source (\.) does *not* disable edit (\e). Use EDITOR=/bin/false to disable or, for example, EDITOR=rnano for something more useful does *not* disable pager (\P) without an argument. Use PAGER=cat or, for example PAGER=less LESSSECURE=1 for something more useful using a disabled command is an error, which can be ignored with --force Also, a "sandbox" command (\-) - enables the sandbox mode until EOF (current file or the session, if interactive)
2025-07-29 05:21:33 +03:00 · 2024-05-05 09:44:10 +02:00
parent 83aedeacc4
commit 2025597c0b
3 changed files with 90 additions and 3 deletions
--- a/mysql-test/main/mysql.result
+++ b/mysql-test/main/mysql.result
@ -633,3 +633,27 @@ drop table t1;
 WARNING: option '--enable-cleartext-plugin' is obsolete.
 1
 1
+# End of 10.3 tests
+#
+# MDEV-21778 Disable system commands in mysql/mariadb client
+#
+ERROR at line 1: Not allowed in the sandbox mode
+1
+ERROR at line 1: Not allowed in the sandbox mode
+2
+ERROR at line 1: Not allowed in the sandbox mode
+3
+1
+entering sandbox
+system
+tee
+source
+^^^
+2
+entering sandbox
+system
+tee
+source
+^^^
+3
+# End of 10.5 tests