MDEV-3915 COM_CHANGE_USER allows fast password brute-forcing

allow only three failed change_user per connection. successful change_user do NOT reset the counter tests/mysql_client_test.c: make --error to work for --change_user errors
2025-08-08 11:22:35 +03:00 · 2013-01-25 00:17:39 +01:00
parent 8127e631de
commit bfc71e63a7
8 changed files with 164 additions and 79 deletions
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -675,6 +675,7 @@ THD::THD()
   stmt_depends_on_first_successful_insert_id_in_prev_stmt(FALSE),
   examined_row_count(0),
   global_read_lock(0),
+   failed_com_change_user(0),
   is_fatal_error(0),
   transaction_rollback_request(0),
   is_fatal_sub_stmt_error(0),