MXS-1449 Firewall: Allow 'USE <db>'

When the database firewall filter is used in white-list mode,
'USE <db>' should be allowed. When connecting, it is always
possible to specify the database anyway so restricting
'USE <db>' serves no purpose.

Documentation/Filters/Database-Firewall-Filter.md

@@ -51,13 +51,14 @@ all matching queries, or `ignore` which allows all queries to proceed.
 The following statement types will always be allowed through when `action` is
 set to `allow`:
 
- - COM_QUIT: Client closes connection
- - COM_PING: Server is pinged
  - COM_CHANGE_USER: The user is changed for an active connection
- - COM_SET_OPTION: Client multi-statements are being configured
  - COM_FIELD_LIST: Alias for the `SHOW TABLES;` query
- - COM_PROCESS_KILL: Alias for `KILL <id>;` query
+ - COM_INIT_DB: Alias for `USE <db>;`
+ - COM_PING: Server is pinged
  - COM_PROCESS_INFO: Alias for `SHOW PROCESSLIST;`
+ - COM_PROCESS_KILL: Alias for `KILL <id>;` query
+ - COM_QUIT: Client closes connection
+ - COM_SET_OPTION: Client multi-statements are being configured
 
 You can have both blacklist and whitelist functionality by configuring one
 filter with `action=allow` and another one with `action=block`. You can then use

server/modules/filter/dbfwfilter/dbfwfilter.c

@@ -2310,6 +2310,7 @@ static bool command_is_mandatory(const GWBUF *buffer)
     {
     case MYSQL_COM_CHANGE_USER:
     case MYSQL_COM_FIELD_LIST:
+    case MYSQL_COM_INIT_DB:
     case MYSQL_COM_PING:
     case MYSQL_COM_PROCESS_INFO:
     case MYSQL_COM_PROCESS_KILL: