Bug #68785 No client control over which attributes are exposed
Submitted: 26 Mar 2013 19:03
Reporter: Todd Farmer (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.6.10 OS:Any
Assigned to: CPU Architecture:Any

[26 Mar 2013 19:03] Todd Farmer
Description:
With MySQL 5.6, P_S can track connection attributes set by the client at
connection time.  The mysql (and related) clients include attributes which
the user cannot control or restrict in any way.  This means that the
following is always exposed to all users able to query
performance_schema.session_connect_attrs:

* OS info
* client thread ID
* platform

While it is unclear any of this information can be leveraged into security
exploits is unclear, but the lack of control over what information is exposed
is problematic.

How to repeat:
    mysql> SELECT * FROM performance_schema.session_connect_attrs\G
    *************************** 1. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: _command_line
          ATTR_VALUE: bin\mysql -uroot -P3307 -p
    ORDINAL_POSITION: 0
    *************************** 2. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: _client_name
          ATTR_VALUE: libmysql
    ORDINAL_POSITION: 1
    *************************** 3. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: _pid
          ATTR_VALUE: 3944
    ORDINAL_POSITION: 2
    *************************** 4. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: _client_version
          ATTR_VALUE: 5.6.6-m9
    ORDINAL_POSITION: 3
    *************************** 5. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: _platform
          ATTR_VALUE: x86
    ORDINAL_POSITION: 4
    *************************** 6. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: program_name
          ATTR_VALUE: mysql
    ORDINAL_POSITION: 5
    *************************** 7. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: _os
          ATTR_VALUE: Win32
    ORDINAL_POSITION: 6
    *************************** 8. row ***************************
      PROCESSLIST_ID: 4
           ATTR_NAME: _thread
          ATTR_VALUE: 1340
    ORDINAL_POSITION: 7

Suggested fix:
Allow mysql (and related clients, including replication and FEDERATED connections using libmysql) to specify which attributes to expose or not.