Allow clear password over loopback connection. Fixes #1534

bgrainger · bgrainger · commit 9c242cc24597 · 2025-01-25T19:55:55.000-08:00
Assume that a localhost TCP connection isn't subject to a MITM attack and so it's OK to send a cleartext password. This allows the use of the Google Cloud SQL Auth Proxy, which runs on a local TCP port.
diff --git a/src/MySqlConnector/Core/ServerSession.cs b/src/MySqlConnector/Core/ServerSession.cs
@@ -860,7 +860,7 @@ private async Task<PayloadData> SwitchAuthenticationAsync(ConnectionSettings cs,
 				return await ReceiveReplyAsync(ioBehavior, cancellationToken).ConfigureAwait(false);
 
 			case "mysql_clear_password":
-				if (!m_isSecureConnection)
+				if (!m_isSecureConnection && !m_isLoopbackConnection)
 				{
 					Log.NeedsSecureConnection(m_logger, Id, switchRequest.Name);
 					throw new MySqlException(MySqlErrorCode.UnableToConnectToHost, $"Authentication method '{switchRequest.Name}' requires a secure connection.");
@@ -1302,6 +1302,7 @@ private async Task<bool> OpenTcpSocketAsync(ConnectionSettings cs, ILoadBalancer
 					m_socket.NoDelay = true;
 					m_stream = m_tcpClient.GetStream();
 					m_socket.SetKeepAlive(cs.Keepalive);
+					m_isLoopbackConnection = IPAddress.IsLoopback(ipAddress);
 				}
 				catch (ObjectDisposedException) when (cancellationToken.IsCancellationRequested)
 				{
@@ -2169,6 +2170,7 @@ protected override void OnStatementBegin(int index)
 	private IPayloadHandler? m_payloadHandler;
 	private CompressionMethod m_compressionMethod;
 	private bool m_isSecureConnection;
+	private bool m_isLoopbackConnection;
 	private bool m_supportsConnectionAttributes;
 	private bool m_supportsPipelining;
 	private CharacterSet m_characterSet;
