octoleo/gh-ost
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security: fix vulnerability where -database parameter accepts arbitrary DSN strings

Browse Source
This commit is contained in:
dm-2 2022-01-13 16:07:51 +00:00
parent e484824bbd
commit 83413c339e
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build.sh
View File

@ -18,7 +18,7 @@ function build {
GOOS=$3 GOOS=$3
GOARCH=$4 GOARCH=$4
if ! go version | egrep -q 'go(1\.1[56])' ; then if ! go version | egrep -q 'go1\.(1[5-9]|[2-9][0-9]{1})' ; then
echo "go version must be 1.15 or above" echo "go version must be 1.15 or above"
exit 1 exit 1
fi fi

6
go/cmd/gh-ost/main.go
View File

@ -8,6 +8,7 @@ package main
import ( import (
"flag" "flag"
"fmt" "fmt"
"net/url"
"os" "os"
"os/signal" "os/signal"
"syscall" "syscall"
@ -188,6 +189,11 @@ func main() {
log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name") log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name")
} }
} }
if err := flag.Set("database", url.QueryEscape(migrationContext.DatabaseName)); err != nil {
migrationContext.Log.Fatale(err)
}
if migrationContext.OriginalTableName == "" { if migrationContext.OriginalTableName == "" {
if parser.HasExplicitTable() { if parser.HasExplicitTable() {
migrationContext.OriginalTableName = parser.GetExplicitTable() migrationContext.OriginalTableName = parser.GetExplicitTable()