Description:
A CONN_CAPABILITIES_GET message can be sent and will be responded to prior to logging in so thus needs no credentials.
MySQL will currently tell you the version of the X plugin when you send such a message.
E.g.
capabilities {
name: "plugin.version"
value {
type: SCALAR
scalar {
type: V_STRING
v_string {
value: "1.0.2"
}
}
}
}
It is not a good idea to expose exact version numbers to a client as this facilitates
attacks to a server if the exact version of software that is running is known.
I have never liked the fact that the classic protocol also exposes the exact MySQL version and this is not configurable.
In theory it should be sufficient to know the major version (as all major versions should be [mainly] compatible). Once logged in access to the full MySQL version is straightforward and makes sense.
How to repeat:
Use a protocol dumper to see that it's possible prior to authenticating to get the MySQL version and all capabilities retrieved prior to authenticating with the server are visible. This includes the x plugin version.
Suggested fix:
I would suggest not exposing this information directly to the client, unless the client has previously authenticated.
If you think that you _need_ this information then perhaps the information you are exposing should be shown some other way, in terms of capabilities that the server offers etc.
It would also be good to not have to expose the exact MySQL version in 8.0 to the client. Again if there's information that clients need based on this version that should be adjusted so this is not necessary.
Description: A CONN_CAPABILITIES_GET message can be sent and will be responded to prior to logging in so thus needs no credentials. MySQL will currently tell you the version of the X plugin when you send such a message. E.g. capabilities { name: "plugin.version" value { type: SCALAR scalar { type: V_STRING v_string { value: "1.0.2" } } } } It is not a good idea to expose exact version numbers to a client as this facilitates attacks to a server if the exact version of software that is running is known. I have never liked the fact that the classic protocol also exposes the exact MySQL version and this is not configurable. In theory it should be sufficient to know the major version (as all major versions should be [mainly] compatible). Once logged in access to the full MySQL version is straightforward and makes sense. How to repeat: Use a protocol dumper to see that it's possible prior to authenticating to get the MySQL version and all capabilities retrieved prior to authenticating with the server are visible. This includes the x plugin version. Suggested fix: I would suggest not exposing this information directly to the client, unless the client has previously authenticated. If you think that you _need_ this information then perhaps the information you are exposing should be shown some other way, in terms of capabilities that the server offers etc. It would also be good to not have to expose the exact MySQL version in 8.0 to the client. Again if there's information that clients need based on this version that should be adjusted so this is not necessary.