From 83413c339ec4601e5a4e0d3e3288bda9b6977170 Mon Sep 17 00:00:00 2001
From: dm-2 <45519614+dm-2@users.noreply.github.com>
Date: Thu, 13 Jan 2022 16:07:51 +0000
Subject: [PATCH] Security: fix vulnerability where `-database` parameter
 accepts arbitrary DSN strings

---
 build.sh              | 2 +-
 go/cmd/gh-ost/main.go | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index 6efa2d4..72c14d9 100755
--- a/build.sh
+++ b/build.sh
@@ -18,7 +18,7 @@ function build {
   GOOS=$3
   GOARCH=$4
 
-  if ! go version | egrep -q 'go(1\.1[56])' ; then
+  if ! go version | egrep -q 'go1\.(1[5-9]|[2-9][0-9]{1})' ; then
     echo "go version must be 1.15 or above"
     exit 1
   fi
diff --git a/go/cmd/gh-ost/main.go b/go/cmd/gh-ost/main.go
index 7b5af54..740813e 100644
--- a/go/cmd/gh-ost/main.go
+++ b/go/cmd/gh-ost/main.go
@@ -8,6 +8,7 @@ package main
 import (
 	"flag"
 	"fmt"
+	"net/url"
 	"os"
 	"os/signal"
 	"syscall"
@@ -188,6 +189,11 @@ func main() {
 			log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name")
 		}
 	}
+
+	if err := flag.Set("database", url.QueryEscape(migrationContext.DatabaseName)); err != nil {
+		migrationContext.Log.Fatale(err)
+	}
+
 	if migrationContext.OriginalTableName == "" {
 		if parser.HasExplicitTable() {
 			migrationContext.OriginalTableName = parser.GetExplicitTable()