From 470f2598cca350b79531bf0b88463a47d94abec3 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Wed, 3 Aug 2016 20:56:24 +0200 Subject: MDEV-10465 general_log_file can be abused This issue was discovered by Dawid Golunski (http://legalhackers.com) --- mysql-test/suite/sys_vars/r/general_log_file_basic.result | 6 ++++++ mysql-test/suite/sys_vars/r/slow_query_log_file_basic.result | 6 ++++++ mysql-test/suite/sys_vars/t/general_log_file_basic.test | 10 ++++++++++ mysql-test/suite/sys_vars/t/slow_query_log_file_basic.test | 10 ++++++++++ sql/sys_vars.cc | 7 +++++++ 5 files changed, 39 insertions(+) diff --git a/mysql-test/suite/sys_vars/r/general_log_file_basic.result b/mysql-test/suite/sys_vars/r/general_log_file_basic.result index 369ef7844db..54b450a2fce 100644 --- a/mysql-test/suite/sys_vars/r/general_log_file_basic.result +++ b/mysql-test/suite/sys_vars/r/general_log_file_basic.result @@ -12,6 +12,12 @@ SET @@global.general_log_file = mytest.log; ERROR 42000: Incorrect argument type to variable 'general_log_file' SET @@global.general_log_file = 12; ERROR 42000: Incorrect argument type to variable 'general_log_file' +SET @@global.general_log_file = 'my.cnf'; +ERROR 42000: Variable 'general_log_file' can't be set to the value of 'my.cnf' +SET @@global.general_log_file = '/tmp/my.cnf'; +ERROR 42000: Variable 'general_log_file' can't be set to the value of '/tmp/my.cnf' +SET @@global.general_log_file = '.my.cnf'; +ERROR 42000: Variable 'general_log_file' can't be set to the value of '.my.cnf' '#----------------------FN_DYNVARS_004_03------------------------#' SELECT @@global.general_log_file = VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES diff --git a/mysql-test/suite/sys_vars/r/slow_query_log_file_basic.result b/mysql-test/suite/sys_vars/r/slow_query_log_file_basic.result index f45c568ff4a..e2ed7d63fdb 100644 --- a/mysql-test/suite/sys_vars/r/slow_query_log_file_basic.result +++ b/mysql-test/suite/sys_vars/r/slow_query_log_file_basic.result @@ -9,6 +9,12 @@ SET @@global.slow_query_log_file = mytest.log; ERROR 42000: Incorrect argument type to variable 'slow_query_log_file' SET @@global.slow_query_log_file = 12; ERROR 42000: Incorrect argument type to variable 'slow_query_log_file' +SET @@global.slow_query_log_file = 'my.cnf'; +ERROR 42000: Variable 'slow_query_log_file' can't be set to the value of 'my.cnf' +SET @@global.slow_query_log_file = '/tmp/my.cnf'; +ERROR 42000: Variable 'slow_query_log_file' can't be set to the value of '/tmp/my.cnf' +SET @@global.general_log_file = '.my.cnf'; +ERROR 42000: Variable 'general_log_file' can't be set to the value of '.my.cnf' '#----------------------FN_DYNVARS_004_03------------------------#' SELECT @@global.slow_query_log_file = VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES diff --git a/mysql-test/suite/sys_vars/t/general_log_file_basic.test b/mysql-test/suite/sys_vars/t/general_log_file_basic.test index 12362fa123c..cdb2cc4b36e 100644 --- a/mysql-test/suite/sys_vars/t/general_log_file_basic.test +++ b/mysql-test/suite/sys_vars/t/general_log_file_basic.test @@ -58,6 +58,16 @@ SET @@global.general_log_file = mytest.log; --error ER_WRONG_TYPE_FOR_VAR SET @@global.general_log_file = 12; +# +# MDEV-10465 +# +--error ER_WRONG_VALUE_FOR_VAR +SET @@global.general_log_file = 'my.cnf'; +--error ER_WRONG_VALUE_FOR_VAR +SET @@global.general_log_file = '/tmp/my.cnf'; +--error ER_WRONG_VALUE_FOR_VAR +SET @@global.general_log_file = '.my.cnf'; + --echo '#----------------------FN_DYNVARS_004_03------------------------#' ############################################################################## diff --git a/mysql-test/suite/sys_vars/t/slow_query_log_file_basic.test b/mysql-test/suite/sys_vars/t/slow_query_log_file_basic.test index 28fc17f6077..835cb251e39 100644 --- a/mysql-test/suite/sys_vars/t/slow_query_log_file_basic.test +++ b/mysql-test/suite/sys_vars/t/slow_query_log_file_basic.test @@ -56,6 +56,16 @@ SET @@global.slow_query_log_file = mytest.log; --error ER_WRONG_TYPE_FOR_VAR SET @@global.slow_query_log_file = 12; +# +# MDEV-10465 +# +--error ER_WRONG_VALUE_FOR_VAR +SET @@global.slow_query_log_file = 'my.cnf'; +--error ER_WRONG_VALUE_FOR_VAR +SET @@global.slow_query_log_file = '/tmp/my.cnf'; +--error ER_WRONG_VALUE_FOR_VAR +SET @@global.general_log_file = '.my.cnf'; + --echo '#----------------------FN_DYNVARS_004_03------------------------#' ############################################################################## # Check if the value in GLOBAL Tables matches values in variable # diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index bf7ed231d77..2ed5be3bf3b 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -3033,6 +3033,13 @@ static bool check_log_path(sys_var *self, THD *thd, set_var *var) return true; } + static const LEX_CSTRING my_cnf= { STRING_WITH_LEN("my.cnf") }; + if (val->length >= my_cnf.length) + { + if (strcasecmp(val->str + val->length - my_cnf.length, my_cnf.str) == 0) + return true; // log file name ends with "my.cnf" + } + char path[FN_REFLEN]; size_t path_length= unpack_filename(path, val->str); -- cgit v1.2.1