You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
call "sys"."settimeout"(-9) is allowed currently but it should not be allowed.
Also it immediately results in a situation where every send SQL results in a
Error: Query aborted due to timeout
This makes the session useless for the application/user. This should not be possible.
Reproducible: Always
Steps to Reproduce:
Start mserver5
Start mclient
Execute SQL queries:
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(0);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(-9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Actual Results:
Welcome to mclient, the MonetDB/SQL interactive terminal (unreleased)
Database: MonetDB v11.24.0 (unreleased), 'demo'
Type \q to quit, ? for a list of available commands
auto commit mode: on
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (1.189ms)
sql>
sql>CALL "sys"."settimeout"(9);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 9 |
+--------------+
1 tuple (0.966ms)
sql>
sql>CALL "sys"."settimeout"(0);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (0.802ms)
sql>
sql>CALL "sys"."settimeout"(-9);
Query aborted due to timeout
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Query aborted due to timeout
sql>
Expected Results:
error msg "Illegal timeout value: -9" after: CALL "sys"."settimeout"(-9);
No setting or change of the querytimeout parameter of the current session, such that successive SQL statements are executed normally.
Potentially also
CALL "sys"."settimeout"(9, -10);
and
CALL "sys"."setsession"(-9);
should be protected against calling negative session timeouts.
Comment 24468
Date: 2016-10-06 18:05:10 +0200
From: @mlkersten
I patched the default branch to protect against it.
Date: 2016-10-06 18:08:29 +0200
From: Martin van Dinther <<martin.van.dinther>>
The procedures:
-- control the query and session time out
create procedure sys.settimeout("query" bigint)
external name sql.settimeout;
create procedure sys.settimeout("query" bigint, "session" bigint)
external name sql.settimeout;
create procedure sys.setsession("timeout" bigint)
external name sql.setsession;
are created in file: 22_clients.sql
The text was updated successfully, but these errors were encountered:
Date: 2016-10-06 17:48:39 +0200
From: Martin van Dinther <<martin.van.dinther>>
To: SQL devs <>
Version: 11.23.7 (Jun2016-SP1)
CC: @mlkersten
Last updated: 2016-12-21 13:07:12 +0100
Comment 24467
Date: 2016-10-06 17:48:39 +0200
From: Martin van Dinther <<martin.van.dinther>>
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Build Identifier:
call "sys"."settimeout"(-9) is allowed currently but it should not be allowed.
Also it immediately results in a situation where every send SQL results in a
Error: Query aborted due to timeout
This makes the session useless for the application/user. This should not be possible.
Reproducible: Always
Steps to Reproduce:
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(0);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
CALL "sys"."settimeout"(-9);
SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Actual Results:
Welcome to mclient, the MonetDB/SQL interactive terminal (unreleased)
Database: MonetDB v11.24.0 (unreleased), 'demo'
Type \q to quit, ? for a list of available commands
auto commit mode: on
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (1.189ms)
sql>
sql>CALL "sys"."settimeout"(9);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 9 |
+--------------+
1 tuple (0.966ms)
sql>
sql>CALL "sys"."settimeout"(0);
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
+--------------+
| querytimeout |
+==============+
| 0 |
+--------------+
1 tuple (0.802ms)
sql>
sql>CALL "sys"."settimeout"(-9);
Query aborted due to timeout
sql>SELECT "querytimeout" FROM "sys"."sessions"() WHERE "active";
Query aborted due to timeout
sql>
Expected Results:
error msg "Illegal timeout value: -9" after: CALL "sys"."settimeout"(-9);
No setting or change of the querytimeout parameter of the current session, such that successive SQL statements are executed normally.
Potentially also
CALL "sys"."settimeout"(9, -10);
and
CALL "sys"."setsession"(-9);
should be protected against calling negative session timeouts.
Comment 24468
Date: 2016-10-06 18:05:10 +0200
From: @mlkersten
I patched the default branch to protect against it.
Comment 24469
Date: 2016-10-06 18:07:01 +0200
From: MonetDB Mercurial Repository <>
Changeset ba5ba134b9e2 made by Martin van Dinther martin.van.dinther@monetdbsolutions.com in the MonetDB repo, refers to this bug.
For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=ba5ba134b9e2
Changeset description:
Comment 24470
Date: 2016-10-06 18:08:29 +0200
From: Martin van Dinther <<martin.van.dinther>>
The procedures:
-- control the query and session time out
create procedure sys.settimeout("query" bigint)
external name sql.settimeout;
create procedure sys.settimeout("query" bigint, "session" bigint)
external name sql.settimeout;
create procedure sys.setsession("timeout" bigint)
external name sql.setsession;
are created in file: 22_clients.sql
The text was updated successfully, but these errors were encountered: