Bug #53466 end_connection() should reference global_system_variables.log_warnings
Submitted: 6 May 2010 14:30 Modified: 10 Nov 2011 19:09
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Errors Severity:S3 (Non-critical)
Version:5.1.46, 5.5.4 OS:Any
Assigned to: CPU Architecture:Any
Tags: log_warnings
Triage: Triaged: D3 (Medium)

[6 May 2010 14:30] Shane Bester
Description:
end_connection prints out messages like this, depending on *session* log_warnings value:

Aborted connection 2 to db: 'unconnected' user: 'root' host: '' (Got timeout reading communication packets)

This is wrong because it allows a minimally privileged user to write copious amounts of errors to the .err file, unless he is restricted by the number of MAX_CONNECTIONS_PER_HOUR in his user account.

How to repeat:
1. start server with --log-warnings=0;

2. connect any client, set session log_warnings=2; then kill the client app/thread
   so that mysql_close() is skipped.

3. notice in the server error log is an aborted connection error

Suggested fix:
end_connection should reference global_system_variables.log_warnings instead of 
thd->variables.log_warnings

the added bonus with this fix is that *existing* connections will not print errors when ending after an admin has globally set log_warnings=1 (or 0).
[10 Nov 2011 19:09] Paul Dubois
Noted in 5.6.4 changelog.

Previously, "Aborted connection" errors were written to the error log
based on the session value of log_warnings, which permitted users
with minimal privileges to cause many messages to be written to the
log unless restricted by the MAX_CONNECTIONS_PER_HOUR resource limit.
Now this logging is based on the global log_warnings variable. There
are no remaining uses of the session log_warnings variable, so it has
been removed that the variable has only a global value. 

Also updated log_warnings description to indicate that it is global only.
[26 Sep 2012 9:12] Shane Bester
the patch for this bug made it not possible to enable session-level warnings in future, in case it would be needed.

http://bugs.mysql.com/bug.php?id=66953