From 82563c5fc0a40d64d8e8e9de2bf6f904fa6c0dc6 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Sun, 21 Jul 2019 12:09:17 +0200
Subject: MDEV-20110 don't try to load client plugins with invalid names

reported by lixtelnis
---
 sql-common/client_plugin.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'sql-common')

diff --git a/sql-common/client_plugin.c b/sql-common/client_plugin.c
index f5e1ffbbf5c..812cefe03f5 100644
--- a/sql-common/client_plugin.c
+++ b/sql-common/client_plugin.c
@@ -362,7 +362,13 @@ mysql_load_plugin_v(MYSQL *mysql, const char *name, int type,
            mysql->options.extension && mysql->options.extension->plugin_dir ?
            mysql->options.extension->plugin_dir : PLUGINDIR, "/",
            name, SO_EXT, NullS);
-   
+
+  if (strpbrk(name, "()[]!@#$%^&/*;.,'?"))
+  {
+    errmsg= "invalid plugin name";
+    goto err;
+  }
+
   DBUG_PRINT ("info", ("dlopeninig %s", dlpath));
   /* Open new dll handle */
   if (!(dlhandle= dlopen(dlpath, RTLD_NOW)))
-- 
cgit v1.2.1