Hi Georg,
On Wed, 2023-07-05 at 20:15 +0200, Georg Richter wrote:
Do you agree it makes sense to have a new error that can tell clients
to go to another server (similar to how HTTP 301 redirects work)?
I would very much like to hear your opinion on this one. If you are in
agreement, Daniel can spend more time polishing the feature and also
taking care of implementation details such as preventing redirect
loops and other corner cases.
If we want to implement redirection via error message, then the client needs an option…
Done.
… an option to enable redirecting, it should be disabled by default.
Why does it make sense for it to be disabled by default?
Again, I'm trying to follow the semantics of HTTP 3xx redirects here. Most HTTP(S) clients (e.g. web browsers) do follow redirections by default, and only disable them in specific cases where the server configuration is broken. For example, if the client
encounters a redirect loop, or gets redirected to a server with an invalid certificate; the latter case has nothing to do with redirection
per se.
The current PR introduces a new vulnerability, since the client redirects automatically under the hood.
Why should automatic redirection be considered a vulnerability?
If a client, C1, trusts a MariaDB database server, S1, to handle its queries correctly, then presumably it should
also trust that server to tell it to go redirect to another server, S2, and issues its queries to that alternate server instead.
If redirection offered an opportunity for untrusted third parties to redirect to attacker-controlled servers, that
would be a vulnerability. And that is precisely why it is crucial to plug the pre-existing
https://jira.mariadb.org/browse/CONC-648 vulnerability while implementing redirection.
Thanks,
Daniel
_______________________________________________