mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-20 08:40:50 +00:00
Close interserver connection on exception that happened before first authentication
This commit is contained in:
parent
4ed4fbe74d
commit
953a8d774a
@ -690,6 +690,13 @@ void TCPHandler::runImpl()
|
|||||||
LOG_WARNING(log, "Client has gone away.");
|
LOG_WARNING(log, "Client has gone away.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Interserver authentication is done only after we read the query.
|
||||||
|
/// This fact can be abused by producing exception before or while we read the query.
|
||||||
|
/// To aovid any potential exploits, we simply close connection on any exceptions
|
||||||
|
/// that happen before the first query is authenticated with the cluster secret.
|
||||||
|
if (is_interserver_mode && exception && !is_interserver_authenticated)
|
||||||
|
exception->rethrow();
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
/// A query packet is always followed by one or more data packets.
|
/// A query packet is always followed by one or more data packets.
|
||||||
@ -1797,6 +1804,8 @@ void TCPHandler::receiveQuery()
|
|||||||
/// address.
|
/// address.
|
||||||
session->authenticate(AlwaysAllowCredentials{client_info.initial_user}, client_info.initial_address);
|
session->authenticate(AlwaysAllowCredentials{client_info.initial_user}, client_info.initial_address);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
is_interserver_authenticated = true;
|
||||||
#else
|
#else
|
||||||
auto exception = Exception(ErrorCodes::AUTHENTICATION_FAILED,
|
auto exception = Exception(ErrorCodes::AUTHENTICATION_FAILED,
|
||||||
"Inter-server secret support is disabled, because ClickHouse was built without SSL library");
|
"Inter-server secret support is disabled, because ClickHouse was built without SSL library");
|
||||||
|
@ -200,6 +200,7 @@ private:
|
|||||||
bool is_ssh_based_auth = false;
|
bool is_ssh_based_auth = false;
|
||||||
/// For inter-server secret (remote_server.*.secret)
|
/// For inter-server secret (remote_server.*.secret)
|
||||||
bool is_interserver_mode = false;
|
bool is_interserver_mode = false;
|
||||||
|
bool is_interserver_authenticated = false;
|
||||||
/// For DBMS_MIN_REVISION_WITH_INTERSERVER_SECRET
|
/// For DBMS_MIN_REVISION_WITH_INTERSERVER_SECRET
|
||||||
String salt;
|
String salt;
|
||||||
/// For DBMS_MIN_REVISION_WITH_INTERSERVER_SECRET_V2
|
/// For DBMS_MIN_REVISION_WITH_INTERSERVER_SECRET_V2
|
||||||
|
Loading…
Reference in New Issue
Block a user