Security: fix vulnerability where -database parameter accepts arbitrary DSN strings

(cherry picked from commit 4dab3d5a689c6a5727174980071c7f9a563193f1)
2022-01-13 16:07:51 +00:00 · 2022-01-13 16:07:51 +00:00 · a91ab042de
commit a91ab042de
parent 1460aa1666
2 changed files with 7 additions and 1 deletions
--- a/build.sh
+++ b/build.sh
@ -18,7 +18,7 @@ function build {
  GOOS=$3
  GOARCH=$4

-  if ! go version | egrep -q 'go(1\.1[56])' ; then
+  if ! go version | egrep -q 'go1\.(1[5-9]|[2-9][0-9]{1})' ; then
    echo "go version must be 1.15 or above"
    exit 1
  fi
--- a/go/cmd/gh-ost/main.go
+++ b/go/cmd/gh-ost/main.go
@ -8,6 +8,7 @@ package main
 import (
 	"flag"
 	"fmt"
+	"net/url"
 	"os"
 	"os/signal"
 	"syscall"
@ -188,6 +189,11 @@ func main() {
 			log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name")
 		}
 	}
+
+	if err := flag.Set("database", url.QueryEscape(migrationContext.DatabaseName)); err != nil {
+		migrationContext.Log.Fatale(err)
+	}
+
 	if migrationContext.OriginalTableName == "" {
 		if parser.HasExplicitTable() {
 			migrationContext.OriginalTableName = parser.GetExplicitTable()