Bug #54051 BENCHMARK allows pointlessly high count values
Submitted: 28 May 2010 2:02 Modified: 28 May 2010 3:18
Reporter: Andrew Dalgleish Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.0, 5.1 OS:Any
Assigned to: CPU Architecture:Any
Triage: Triaged: D5 (Feature request)

[28 May 2010 2:02] Andrew Dalgleish
Description:
BENCHMARK and SLEEP allow pointlessly high count values.

A malicious user could use this to add load to the server or tie-up connections.

How to repeat:
SELECT BENCHMARK( 100000000000000000000000000000000000000000000000000000000000000000000000000000, SHA1("ABC"));
SELECT SLEEP(10000000000);

Suggested fix:
Add a configurable limit to benchmark and sleep parameters.
(These are not commonly used in a production setting.)

Add a per-user query timeout limit.
[28 May 2010 3:18] Valeriy Kravchuk
Thank you for the feature request.