diff options
| author | Sunanda Menon <sunanda.menon@sun.com> | 2010-05-05 15:33:46 +0200 |
|---|---|---|
| committer | Sunanda Menon <sunanda.menon@sun.com> | 2010-05-05 15:33:46 +0200 |
| commit | c5bf05cd9555c9629c91f8874f3d866b73937dc0 (patch) | |
| tree | f21ca30ff2398aded4a4823f679938ec10abb19d | |
| parent | 037950e676fd1b8bf207c31cc4f808a468421ed7 (diff) | |
| download | mariadb-git-c5bf05cd9555c9629c91f8874f3d866b73937dc0.tar.gz | |
------------------------------------------------------------
revno: 2861
committer: Georgi Kodinov <joro@sun.com>
branch nick: B53371-5.0-bugteam
timestamp: Mon 2010-05-03 18:16:51 +0300
message:
Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
The server was not checking the supplied to COM_FIELD_LIST table name
for validity and compliance to acceptable table names standards.
Fixed by checking the table name for compliance similar to how it's
normally checked by the parser and returning an error message if
it's not compliant.
| -rw-r--r-- | sql/sql_parse.cc | 7 | ||||
| -rw-r--r-- | tests/mysql_client_test.c | 42 |
2 files changed, 49 insertions, 0 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 2b43d95dd7c..807d6c09a46 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_command command, THD *thd, } thd->convert_string(&conv_name, system_charset_info, packet, arg_length, thd->charset()); + if (check_table_name (conv_name.str, conv_name.length)) + { + /* this is OK due to convert_string() null-terminating the string */ + my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str); + break; + } + table_list.alias= table_list.table_name= conv_name.str; packet= pend+1; diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 63137bdba93..5b26b96707b 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -16679,6 +16679,47 @@ static void test_bug45010() } +static void test_bug53371() +{ + int rc; + MYSQL_RES *result; + + myheader("test_bug53371"); + + rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1"); + myquery(rc); + rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371"); + myquery(rc); + rc= mysql_query(mysql, "DROP USER 'testbug'@localhost"); + + rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)"); + myquery(rc); + rc= mysql_query(mysql, "CREATE DATABASE bug53371"); + myquery(rc); + rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost"); + myquery(rc); + + rc= mysql_change_user(mysql, "testbug", NULL, "bug53371"); + myquery(rc); + + rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1"); + DIE_UNLESS(rc); + DIE_UNLESS(mysql_errno(mysql) == 1142); + + result= mysql_list_fields(mysql, "../client_test_db/t1", NULL); + DIE_IF(result); + + rc= mysql_change_user(mysql, opt_user, opt_password, current_db); + myquery(rc); + rc= mysql_query(mysql, "DROP TABLE t1"); + myquery(rc); + rc= mysql_query(mysql, "DROP DATABASE bug53371"); + myquery(rc); + rc= mysql_query(mysql, "DROP USER 'testbug'@localhost"); + myquery(rc); +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= { { "test_bug41078", test_bug41078 }, { "test_bug20023", test_bug20023 }, { "test_bug45010", test_bug45010 }, + { "test_bug53371", test_bug53371 }, { 0, 0 } }; |