diff options
| author | unknown <Li-Bing.Song@sun.com> | 2010-07-29 11:00:57 +0800 |
|---|---|---|
| committer | unknown <Li-Bing.Song@sun.com> | 2010-07-29 11:00:57 +0800 |
| commit | 2124538d9cea1cea39b01f0b8b99052b36004fb9 (patch) | |
| tree | 49835843b47b50726e5c3eb2fde225851827a677 /sql/sql_lex.h | |
| parent | 2529ee72ec1af6d27a4f1dc5db2c4f2f001b6120 (diff) | |
| download | mariadb-git-2124538d9cea1cea39b01f0b8b99052b36004fb9.tar.gz | |
BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
/*![:version:] Query Code */, where [:version:] is a sequence of 5
digits representing the mysql server version(e.g /*!50200 ... */),
is a special comment that the query in it can be executed on those
servers whose versions are larger than the version appearing in the
comment. It leads to a security issue when slave's version is larger
than master's. A malicious user can improve his privileges on slaves.
Because slave SQL thread is running with SUPER privileges, so it can
execute queries that he/she does not have privileges on master.
This bug is fixed with the logic below:
- To replace '!' with ' ' in the magic comments which are not applied on
master. So they become common comments and will not be applied on slave.
- Example:
'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
will be binlogged as
'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
mysql-test/suite/rpl/t/rpl_conditional_comments.test:
Test the patch for this bug.
sql/mysql_priv.h:
Rename inBuf as rawBuf and remove the const limitation.
sql/sql_lex.cc:
To replace '!' with ' ' in the magic comments which are not applied on
master.
sql/sql_lex.h:
Remove the const limitation on parameter buff, as it can be modified in the function since
this patch.
Add member function yyUnput for Lex_input_stream. It set a character back the query buff.
sql/sql_parse.cc:
Rename inBuf as rawBuf and remove the const limitation.
sql/sql_partition.cc:
Remove the const limitation on parameter part_buff, as it can be modified in the function since
this patch.
sql/sql_partition.h:
Remove the const limitation on parameter part_buff, as it can be modified in the function since
this patch.
sql/table.h:
Remove the const limitation on variable partition_info, as it can be modified since
this patch.
Diffstat (limited to 'sql/sql_lex.h')
| -rw-r--r-- | sql/sql_lex.h | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/sql/sql_lex.h b/sql/sql_lex.h index cefb0cb49fb..7403bb5a1a4 100644 --- a/sql/sql_lex.h +++ b/sql/sql_lex.h @@ -1180,7 +1180,7 @@ public: @retval FALSE OK @retval TRUE Error */ - bool init(THD *thd, const char *buff, unsigned int length); + bool init(THD *thd, char *buff, unsigned int length); /** Set the echo mode. @@ -1295,6 +1295,20 @@ public: } /** + Puts a character back into the stream, canceling + the effect of the last yyGet() or yySkip(). + Note that the echo mode should not change between calls + to unput, get, or skip from the stream. + */ + char *yyUnput(char ch) + { + *--m_ptr= ch; + if (m_echo) + m_cpp_ptr--; + return m_ptr; + } + + /** End of file indicator for the query text to parse. @return true if there are no more characters to parse */ @@ -1440,7 +1454,7 @@ public: private: /** Pointer to the current position in the raw input stream. */ - const char *m_ptr; + char *m_ptr; /** Starting position of the last token parsed, in the raw buffer. */ const char *m_tok_start; @@ -1972,7 +1986,7 @@ public: @retval FALSE OK @retval TRUE Error */ - bool init(THD *thd, const char *buff, unsigned int length) + bool init(THD *thd, char *buff, unsigned int length) { return m_lip.init(thd, buff, length); } |