diff options
| author | unknown <svoj@mysql.com/june.mysql.com> | 2007-11-06 18:09:33 +0400 |
|---|---|---|
| committer | unknown <svoj@mysql.com/june.mysql.com> | 2007-11-06 18:09:33 +0400 |
| commit | ff4b438be005a3cffb5100db93e10da0f7980922 (patch) | |
| tree | 5f5c06038a6e7b16dd4b68129841b6f35fa87527 /mysys | |
| parent | a7e5f73abb9da35a1c199b89df84596cffe59901 (diff) | |
| download | mariadb-git-ff4b438be005a3cffb5100db93e10da0f7980922.tar.gz | |
BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites
the file to which the symlink points.
This is security issue, because it is possible to create a table with
some name in some non-system database and set DATA/INDEX DIRECTORY
to mysql system database. Renaming this table to one of mysql system
tables (e.g. user, host) would overwrite the system table.
Return an error when the file to which the symlink points exist.
mysql-test/r/symlink.result:
A test case for BUG#32111.
mysql-test/t/symlink.test:
A test case for BUG#32111.
mysys/my_symlink2.c:
Return an error when the file to which the symlink points exist.
Diffstat (limited to 'mysys')
| -rw-r--r-- | mysys/my_symlink2.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/mysys/my_symlink2.c b/mysys/my_symlink2.c index 913f632fbb4..4d58699412a 100644 --- a/mysys/my_symlink2.c +++ b/mysys/my_symlink2.c @@ -120,6 +120,7 @@ int my_rename_with_symlink(const char *from, const char *to, myf MyFlags) int was_symlink= (!my_disable_symlinks && !my_readlink(link_name, from, MYF(0))); int result=0; + int name_is_different; DBUG_ENTER("my_rename_with_symlink"); if (!was_symlink) @@ -128,6 +129,14 @@ int my_rename_with_symlink(const char *from, const char *to, myf MyFlags) /* Change filename that symlink pointed to */ strmov(tmp_name, to); fn_same(tmp_name,link_name,1); /* Copy dir */ + name_is_different= strcmp(link_name, tmp_name); + if (name_is_different && !access(tmp_name, F_OK)) + { + my_errno= EEXIST; + if (MyFlags & MY_WME) + my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST); + DBUG_RETURN(1); + } /* Create new symlink */ if (my_symlink(tmp_name, to, MyFlags)) @@ -139,7 +148,7 @@ int my_rename_with_symlink(const char *from, const char *to, myf MyFlags) the same basename and different directories. */ - if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags)) + if (name_is_different && my_rename(link_name, tmp_name, MyFlags)) { int save_errno=my_errno; my_delete(to, MyFlags); /* Remove created symlink */ |