Security: fix vulnerability where -database parameter accepts arbitrary DSN strings

2022-01-13 16:07:51 +00:00 · 2022-01-13 16:07:51 +00:00 · 83413c339e
commit 83413c339e
parent e484824bbd
2 changed files with 7 additions and 1 deletions
--- a/build.sh
+++ b/build.sh
@ -18,7 +18,7 @@ function build {
  GOOS=$3
  GOARCH=$4

-  if ! go version | egrep -q 'go(1\.1[56])' ; then
+  if ! go version | egrep -q 'go1\.(1[5-9]|[2-9][0-9]{1})' ; then
    echo "go version must be 1.15 or above"
    exit 1
  fi
--- a/go/cmd/gh-ost/main.go
+++ b/go/cmd/gh-ost/main.go
@ -8,6 +8,7 @@ package main
 import (
 	"flag"
 	"fmt"
+	"net/url"
 	"os"
 	"os/signal"
 	"syscall"
@ -188,6 +189,11 @@ func main() {
 			log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name")
 		}
 	}
+
+	if err := flag.Set("database", url.QueryEscape(migrationContext.DatabaseName)); err != nil {
+		migrationContext.Log.Fatale(err)
+	}
+
 	if migrationContext.OriginalTableName == "" {
 		if parser.HasExplicitTable() {
 			migrationContext.OriginalTableName = parser.GetExplicitTable()