Bug #90323 Greedy pattern matching for client history and no way to disable it
Submitted: 6 Apr 2018 10:54 Modified: 6 Apr 2018 11:43
Reporter: Ceri Williams Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.7 OS:Any
Assigned to: CPU Architecture:Any

[6 Apr 2018 10:54] Ceri Williams 
Description:
"mysql ignores for logging purposes statements that match any pattern in the “ignore” list. By default, the pattern list is "*IDENTIFIED*:*PASSWORD*", to ignore statements that refer to passwords. Pattern matching is not case sensitive. Within patterns, two characters are special:

? matches any single character.

* matches any sequence of zero or more characters."

This default pattern is documented as being constant:
"To specify additional patterns, use the --histignore"

It is greedy and there is no way around it and it causes numerous completely harmless queries to be blocked from history, which can be frustrating with limited terminal history and now way to scroll up.

If the intention is also to prevent password hashes from being logged, which are also sensitive, then this fails if you update the mysql.user table directly for any reason on versions where authentication_string is used.

How to repeat:

$ cat ~/.mysql_history

$ mysql -Ns           
mysql> select 1;
1
mysql> select "this is not a password";
this is not a password
mysql> select "I am identified by my name";
I am identified by my name
mysql> select 1;
1
mysql> \q

$ cat ~/.mysql_history
select 1;
\q

$ :> ~/.mysql_history

$ mysql -Ns
mysql> select char_length(user) from mysql.user limit 1;
7
mysql> select char_length(user) from mysql.user where plugin <> 'sha256_password' limit 1;
4
mysql> \q

$ cat ~/.mysql_history
select char_length(user) from mysql.user limit 1;
\q

$ :> ~/.mysql_history

$ mysql -Ns           
mysql> update mysql.user set authentication_string = "*9B500343BC52E2911172EB52" where user = "root" and plugin = "auth_socket";
mysql> \q

$ cat ~/.mysql_history
\q
update mysql.user set authentication_string = "*9B5003...." where user = "root" and plugin = "auth_socket";
\q

Suggested fix:
Allow the user to override the ignore pattern rather than append to it so that they can choose a more suitable pattern for work that they will be carrying out.

Additionally, add authentication_string to the default pattern.
[6 Apr 2018 11:16] MySQL Verification Team 
Hello Ceri Williams,

Thank you for the report and feedback.
As you noted in related Bug #86917, mysql ignores for logging purposes statements that match any pattern in the “ignore” list. By default, the pattern list is "*IDENTIFIED*:*PASSWORD*", to ignore statements that refer to passwords. Since we already have Bug #86917 for the same purpose i.e allow override the default ignore list, marking this as duplicate of Bug #86917

Thanks,
Umesh
[6 Apr 2018 11:40] Ceri Williams 
Hi Umesh

I don't agree that this is a duplicate. I meant for this to be a feature request, so I've corrected the severity.

This is specifically stating that you cannot override the default and it is overly greedy.

The bug that you have marked this as duplicating is actually working "correctly", since the IDENTIFIED keyword is used.

Thanks

Ceri