From d9a85dfc7a02842ddb556d05712e63ecba1f3c1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Canna=C3=B2?= <rene.cannao@gmail.com>
Date: Fri, 3 Jul 2020 18:37:04 +0200
Subject: [PATCH] Input validation for mysql-default_session_track_gtids

default_session_track_gtids allows only two values: OFF or OWN_GTID
---
 lib/MySQL_Thread.cpp | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/lib/MySQL_Thread.cpp b/lib/MySQL_Thread.cpp
index 1996f4413..063da4c98 100644
--- a/lib/MySQL_Thread.cpp
+++ b/lib/MySQL_Thread.cpp
@@ -2937,13 +2937,18 @@ bool MySQL_Threads_Handler::set_variable(char *name, const char *value) {	// thi
 		if (variables.default_session_track_gtids) free(variables.default_session_track_gtids);
 		variables.default_session_track_gtids=NULL;
 		if (vallen) {
-			if (strcmp(value,"(null)"))
-				variables.default_session_track_gtids=strdup(value);
-		}
-		if (variables.default_session_track_gtids==NULL) {
-			variables.default_session_track_gtids=strdup((char *)MYSQL_DEFAULT_SESSION_TRACK_GTIDS); // default
+			// we only accept 2 value for session_track_gtids = OFF or OWN_GTID
+			if (strcasecmp(value,(char *)"OFF") == 0) {
+				// for convention, we stored the value as uppercase
+				variables.default_session_track_gtids=strdup((char *)"OFF");
+				return true;
+			} else if (strcasecmp(value,(char *)"OWN_GTID") == 0) {
+				// for convention, we stored the value as uppercase
+				variables.default_session_track_gtids=strdup((char *)"OWN_GTID");
+				return true;
+			}
 		}
-		return true;
+		return false; // we couldn't set it to a valid value. It will be reset to default
 	}