diff options
| author | unknown <msvensson@pilot.mysql.com> | 2007-02-14 14:44:34 +0100 |
|---|---|---|
| committer | unknown <msvensson@pilot.mysql.com> | 2007-02-14 14:44:34 +0100 |
| commit | c4ae01e6f0e9055f0e541aa42a653c6ab0e24b7b (patch) | |
| tree | f44f19f58dde92ae9260a654f9d2d1be4cd163f5 /sql/item_strfunc.cc | |
| parent | e04d00100429373fc4575895cbd282d1289e6dbd (diff) | |
| download | mariadb-git-c4ae01e6f0e9055f0e541aa42a653c6ab0e24b7b.tar.gz | |
Bug#18628 mysql-test-run: security problem(part1)
- Implement --secure-file-priv=<dir> option that limits
"load_file", "LOAD DATA" and "SELECT .. INTO OUTFILE" to work
with files in specified dir.
- Use above option for mysqld in mysql-test-run.pl
mysql-test/mysql-test-run.pl:
Add usage of --secure-file-priv=vardir when starting mysqld
mysql-test/r/loaddata.result:
Update test result after adding test to check that secure-file-priv
works for "load data" and "load_file"
mysql-test/r/outfile.result:
Update result
mysql-test/r/query_cache.result:
Can't load from outside of vardir anymore
mysql-test/r/type_blob.result:
Can't load from outside of vardir anymore
mysql-test/t/loaddata.test:
Update test result after adding test to check that secure-file-priv
works for "load data" and "load_file"
mysql-test/t/outfile.test:
Update test result after adding test to check that secure-file-priv
works for "SELECT .. INTO OUTFILE"
mysql-test/t/query_cache.test:
Can't load from outside of vardir anymore
mysql-test/t/type_blob.test:
Can't load from outside of vardir anymore
sql/item_strfunc.cc:
Check that the path "load_file" uses for the file is within
what's specified with --secure-file-priv
sql/mysql_priv.h:
Add secure_file_priv
sql/mysqld.cc:
Add "--secure_file_priv"
sql/set_var.cc:
Add variable "secure_file_priv" to "show variables"
sql/sql_class.cc:
Check that the path "load_file" uses for the file is within
what's specified with --secure-file-priv
sql/sql_class.h:
Fix spelling error
sql/sql_load.cc:
Check that the path "load_file" uses for the file is within
what's specified with --secure-file-priv
sql/share/errmsg.txt:
Fix swedish error message for ER_OPTION_PREVENTS_STATMENT wich was hardcoded
to --skip-grant-tables
Diffstat (limited to 'sql/item_strfunc.cc')
| -rw-r--r-- | sql/item_strfunc.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index f98a14d2cc6..6897ffda56a 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -2767,6 +2767,11 @@ String *Item_load_file::val_str(String *str) (void) fn_format(path, file_name->c_ptr(), mysql_real_data_home, "", MY_RELATIVE_PATH | MY_UNPACK_FILENAME); + /* Read only allowed from within dir specified by secure_file_priv */ + if (opt_secure_file_priv && + strncmp(opt_secure_file_priv, path, strlen(opt_secure_file_priv))) + goto err; + if (!my_stat(path, &stat_info, MYF(0))) goto err; |