server: fix OK session-track suffix and validate SetCapability#1167
Conversation
Omit the session-state block from OK packets unless SERVER_SESSION_STATE_CHANGED is set, even when CLIENT_SESSION_TRACK is negotiated. An empty session-state length byte after the info string breaks strict clients on auth and normal OKs. Restrict Server.SetCapability and UnsetCapability to a whitelist of CLIENT_LOCAL_FILES, CLIENT_MULTI_RESULTS, and CLIENT_PS_MULTI_RESULTS so flags like CLIENT_SSL cannot be enabled without a matching tlsConfig. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Code Review
This pull request refactors OK-packet session tracking by conditionally appending the session track block based on the SERVER_SESSION_STATE_CHANGED status flag. It also restricts SetCapability and UnsetCapability to only allow toggling of user-configurable capabilities (CLIENT_LOCAL_FILES, CLIENT_MULTI_RESULTS, and CLIENT_PS_MULTI_RESULTS), returning an error for unsafe flags. The feedback suggests improving the capability validation error message to isolate and report the specific invalid flags when a bitmask with multiple flags is provided.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…rror When a bitmask mixes user-configurable and unsafe flags, include the isolated invalid mask in the error message for easier debugging. Co-authored-by: Cursor <cursoragent@cursor.com>
|
Hi @lance6716 , I dont have other channel to interact with you, but thanks for your responsiveness, and your follow ups. |
|
You can contact me through email. But GitHub activities also notify me by email, so a manual email won't change much :P Releases are mostly done by @dveeden. If he's busy these days, I can do the release as well. There's no fixed schedule. We just release new versions according to requests. For this PR I will take a look later. |
|
I'll try to prepare a new release by early next week |
…sql-org#1167) * server: fix OK session-track suffix and validate SetCapability Omit the session-state block from OK packets unless SERVER_SESSION_STATE_CHANGED is set, even when CLIENT_SESSION_TRACK is negotiated. An empty session-state length byte after the info string breaks strict clients on auth and normal OKs. Restrict Server.SetCapability and UnsetCapability to a whitelist of CLIENT_LOCAL_FILES, CLIENT_MULTI_RESULTS, and CLIENT_PS_MULTI_RESULTS so flags like CLIENT_SSL cannot be enabled without a matching tlsConfig. Co-authored-by: Cursor <cursoragent@cursor.com> * server: report invalid capability flags separately in SetCapability error When a bitmask mixes user-configurable and unsafe flags, include the isolated invalid mask in the error message for easier debugging. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: lance6716 <lance6716@gmail.com>
Summary
CLIENT_SESSION_TRACKis negotiated butSERVER_SESSION_STATE_CHANGEDis not set,writeOKno longer appends a zero-length session-state block after the info string. The packet now ends after the length-encoded info string, matching the MySQL OK-packet format expected by strict clients (auth OK, normal OK).Server.SetCapability/UnsetCapabilitynow return an error unless the flag is one ofCLIENT_LOCAL_FILES,CLIENT_MULTI_RESULTS, orCLIENT_PS_MULTI_RESULTS. Flags such asCLIENT_SSLremain tied to server construction (tlsConfig) and cannot be enabled independently.Motivation
Follow-up to #1163: the new capability setter API and session-track OK encoding had two correctness issues reported in review.
Changes
mysql/result.go—AppendOKSessionTrackSuffixonly appends the session-state block whenSERVER_SESSION_STATE_CHANGEDis set inr.Status.server/resp.go— simplifiedwriteOKto delegate toAppendOKSessionTrackSuffix.server/server_conf.go— whitelist validation forSetCapability/UnsetCapability; methods now returnerror.Test plan
TestAppendOKSessionTrackSuffixWithoutStateChange— info string only, no session blockTestConnWriteOKStatusMessageWithoutStateChange— updated expected packet (no trailing0x00session block)TestConnWriteOKSessionTrackWithoutStateChangeOrInfo— auth-style OK with empty infoTestSetCapabilityRejectsUnsafeFlags—CLIENT_SSLandCLIENT_PROTOCOL_41rejected; whitelisted flags workMade with Cursor