From 060b1eadf4913f7066484ea34ec62feead1bca44 Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Fri, 10 Mar 2017 01:19:50 +0400 Subject: BUG#25575605: SETTING --SSL-MODE=REQUIRED SENDS CREDENTIALS BEFORE VERIFYING SSL CONNECTION MYSQL_OPT_SSL_MODE option introduced. It is set in case of --ssl-mode=REQUIRED and permits only SSL connection. (cherry picked from commit 3b2d28578c526f347f5cfe763681eff365731f99) --- client/client_priv.h | 34 +++++++++++++++++++++++++--------- client/mysql.cc | 6 +++--- client/mysql_upgrade.c | 6 ++++-- client/mysqladmin.cc | 6 +++--- client/mysqlcheck.c | 4 ++-- client/mysqldump.c | 4 ++-- client/mysqlimport.c | 4 ++-- client/mysqlshow.c | 4 ++-- client/mysqlslap.c | 5 +++-- client/mysqltest.cc | 6 +++--- 10 files changed, 49 insertions(+), 30 deletions(-) (limited to 'client') diff --git a/client/client_priv.h b/client/client_priv.h index e53ced7e790..fb83ce9cc8b 100644 --- a/client/client_priv.h +++ b/client/client_priv.h @@ -1,5 +1,5 @@ /* - Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -115,13 +115,15 @@ enum options_client /** Wrapper for mysql_real_connect() that checks if SSL connection is establised. - The function calls mysql_real_connect() first, then if given ssl_required==TRUE - argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to - ensure that SSL is used for current connection. - Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR. + The function calls mysql_real_connect() first. Then, if the ssl_required + argument is TRUE (i.e., the --ssl-mode=REQUIRED option was specified), it + checks the current SSL cipher to ensure that SSL is used for the current + connection. Otherwise, it returns NULL and sets errno to + CR_SSL_CONNECTION_ERROR. - All clients (except mysqlbinlog which disregards SSL options) use this function - instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option. + All clients (except mysqlbinlog, which disregards SSL options) use this + function instead of mysql_real_connect() to handle the --ssl-mode=REQUIRED + option. */ MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host, const char *user, const char *passwd, @@ -129,8 +131,22 @@ MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host, const char *unix_socket, ulong client_flag, my_bool ssl_required __attribute__((unused))) { - MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port, - unix_socket, client_flag); + MYSQL *mysql; + +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) + enum mysql_ssl_mode opt_ssl_mode= SSL_MODE_REQUIRED; + if (ssl_required && + mysql_options(mysql_arg, MYSQL_OPT_SSL_MODE, (char *) &opt_ssl_mode)) + { + NET *net= &mysql_arg->net; + net->last_errno= CR_SSL_CONNECTION_ERROR; + strmov(net->last_error, "Client library doesn't support MYSQL_SSL_REQUIRED option"); + strmov(net->sqlstate, "HY000"); + return NULL; + } +#endif + mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port, + unix_socket, client_flag); #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) if (mysql && /* connection established. */ ssl_required && /* --ssl-mode=REQUIRED. */ diff --git a/client/mysql.cc b/client/mysql.cc index cdc2ab0d6e0..2269563814c 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1318,7 +1318,7 @@ sig_handler handle_sigint(int sig) kill_mysql= mysql_init(kill_mysql); if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user, opt_password, "", opt_mysql_port, opt_mysql_unix_port, 0, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n"); goto err; @@ -4461,7 +4461,7 @@ sql_real_connect(char *host,char *database,char *user,char *password, if (!mysql_connect_ssl_check(&mysql, host, user, password, database, opt_mysql_port, opt_mysql_unix_port, connect_flag | CLIENT_MULTI_STATEMENTS, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { if (!silent || (mysql_errno(&mysql) != CR_CONN_HOST_ERROR && diff --git a/client/mysql_upgrade.c b/client/mysql_upgrade.c index 507df6f7843..be0af089027 100644 --- a/client/mysql_upgrade.c +++ b/client/mysql_upgrade.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -387,9 +387,11 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...) va_end(args); +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) /* If given --ssl-mode=REQUIRED propagate it to the tool. */ - if (opt_ssl_required) + if (opt_ssl_mode == SSL_MODE_REQUIRED) dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED"); +#endif #ifdef __WIN__ dynstr_append(&ds_cmdline, "\""); diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc index c03b37ab165..ae9db85b917 100644 --- a/client/mysqladmin.cc +++ b/client/mysqladmin.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -519,8 +519,8 @@ static my_bool sql_connect(MYSQL *mysql, uint wait) for (;;) { if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS, - tcp_port, unix_port, - CLIENT_REMEMBER_OPTIONS, opt_ssl_required)) + tcp_port, unix_port, CLIENT_REMEMBER_OPTIONS, + opt_ssl_mode == SSL_MODE_REQUIRED)) { mysql->reconnect= 1; if (info) diff --git a/client/mysqlcheck.c b/client/mysqlcheck.c index 55b941e7f1a..7822460e341 100644 --- a/client/mysqlcheck.c +++ b/client/mysqlcheck.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -907,7 +907,7 @@ static int dbConnect(char *host, char *user, char *passwd) if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd, NULL, opt_mysql_port, opt_mysql_unix_port, 0, - opt_ssl_required))) + opt_ssl_mode == SSL_MODE_REQUIRED))) { DBerror(&mysql_connection, "when trying to connect"); return 1; diff --git a/client/mysqldump.c b/client/mysqldump.c index 00265def489..fcd29e26fe3 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1501,7 +1501,7 @@ static int connect_to_db(char *host, char *user,char *passwd) if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user, passwd, NULL, opt_mysql_port, opt_mysql_unix_port, 0, - opt_ssl_required))) + opt_ssl_mode == SSL_MODE_REQUIRED))) { DB_error(&mysql_connection, "when trying to connect"); DBUG_RETURN(1); diff --git a/client/mysqlimport.c b/client/mysqlimport.c index 5841c0b855a..bab43356bc7 100644 --- a/client/mysqlimport.c +++ b/client/mysqlimport.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -463,7 +463,7 @@ static MYSQL *db_connect(char *host, char *database, mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset); if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database, opt_mysql_port, opt_mysql_unix_port, - 0, opt_ssl_required))) + 0, opt_ssl_mode == SSL_MODE_REQUIRED))) { ignore_errors=0; /* NO RETURN FROM db_error */ db_error(mysql); diff --git a/client/mysqlshow.c b/client/mysqlshow.c index d0390ec443b..bd7a37f93b4 100644 --- a/client/mysqlshow.c +++ b/client/mysqlshow.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -142,7 +142,7 @@ int main(int argc, char **argv) if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password, (first_argument_uses_wildcards) ? "" : argv[0], opt_mysql_port, opt_mysql_unix_port, - 0, opt_ssl_required))) + 0, opt_ssl_mode == SSL_MODE_REQUIRED))) { fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql)); exit(1); diff --git a/client/mysqlslap.c b/client/mysqlslap.c index eb2b577948c..aa312339e87 100644 --- a/client/mysqlslap.c +++ b/client/mysqlslap.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -357,7 +357,8 @@ int main(int argc, char **argv) { if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password, NULL, opt_mysql_port, opt_mysql_unix_port, - connect_flags, opt_ssl_required))) + connect_flags, + opt_ssl_mode == SSL_MODE_REQUIRED))) { fprintf(stderr,"%s: Error when connecting to server: %s\n", my_progname,mysql_error(&mysql)); diff --git a/client/mysqltest.cc b/client/mysqltest.cc index 79d448cf811..e5f9b11fe76 100644 --- a/client/mysqltest.cc +++ b/client/mysqltest.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -5283,7 +5283,7 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host, host, port, sock, user, name, failed_attempts); while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock, CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { /* Connect failed @@ -5385,7 +5385,7 @@ int connect_n_handle_errors(struct st_command *command, while (!mysql_connect_ssl_check(con, host, user, pass, db, port, sock ? sock: 0, CLIENT_MULTI_STATEMENTS, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { /* If we have used up all our connections check whether this -- cgit v1.2.1 From 6fa5e0814662d691be1a29bf88332348ec7c50c9 Mon Sep 17 00:00:00 2001 From: Bharathy Satish Date: Fri, 17 Mar 2017 08:41:31 +0100 Subject: Bug #25717383: MYSQLDUMP MAY EXECUTE ANY ARBITRARY QUERY While writing comments if database object names has a new line character, then next line is considered a command, rather than a comment. This patch fixes the way comments are constructed in mysqldump. (cherry picked from commit 1099f9d17b1c697c2760f86556f5bae7d202b444) --- client/mysqldump.c | 54 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 42 insertions(+), 12 deletions(-) (limited to 'client') diff --git a/client/mysqldump.c b/client/mysqldump.c index fcd29e26fe3..2775769fe52 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -549,6 +549,7 @@ static int dump_tablespaces_for_databases(char** databases); static int dump_tablespaces(char* ts_where); static void print_comment(FILE *sql_file, my_bool is_error, const char *format, ...); +static const char* fix_identifier_with_newline(char*); /* @@ -649,7 +650,7 @@ static void write_header(FILE *sql_file, char *db_name) MACHINE_TYPE); print_comment(sql_file, 0, "-- Host: %s Database: %s\n", current_host ? current_host : "localhost", - db_name ? db_name : ""); + db_name ? fix_identifier_with_newline(db_name) : ""); print_comment(sql_file, 0, "-- ------------------------------------------------------\n" ); @@ -1981,6 +1982,30 @@ static void print_comment(FILE *sql_file, my_bool is_error, const char *format, print_xml_comment(sql_file, strlen(comment_buff), comment_buff); } +/* + This function accepts object names and prefixes -- wherever \n + character is found. + + @param[in] object_name + + @return + @retval fixed object name. +*/ + +static const char* fix_identifier_with_newline(char* object_name) +{ + static char buff[COMMENT_LENGTH]= {0}; + char *ptr= buff; + memset(buff, 0, 255); + while(*object_name) + { + *ptr++ = *object_name; + if (*object_name == '\n') + ptr= strmov(ptr, "-- "); + object_name++; + } + return buff; +} /* create_delimiter @@ -2049,7 +2074,8 @@ static uint dump_events_for_db(char *db) /* nice comments */ print_comment(sql_file, 0, - "\n--\n-- Dumping events for database '%s'\n--\n", db); + "\n--\n-- Dumping events for database '%s'\n--\n", + fix_identifier_with_newline(db)); /* not using "mysql_query_with_error_report" because we may have not @@ -2266,7 +2292,8 @@ static uint dump_routines_for_db(char *db) /* nice comments */ print_comment(sql_file, 0, - "\n--\n-- Dumping routines for database '%s'\n--\n", db); + "\n--\n-- Dumping routines for database '%s'\n--\n", + fix_identifier_with_newline(db)); /* not using "mysql_query_with_error_report" because we may have not @@ -2325,7 +2352,7 @@ static uint dump_routines_for_db(char *db) query_buff); print_comment(sql_file, 1, "-- does %s have permissions on mysql.proc?\n\n", - current_user); + fix_identifier_with_newline(current_user)); maybe_die(EX_MYSQLERR,"%s has insufficent privileges to %s!", current_user, query_buff); } else if (strlen(row[2])) @@ -2539,11 +2566,11 @@ static uint get_table_structure(char *table, char *db, char *table_type, if (strcmp (table_type, "VIEW") == 0) /* view */ print_comment(sql_file, 0, "\n--\n-- Temporary table structure for view %s\n--\n\n", - result_table); + fix_identifier_with_newline(result_table)); else print_comment(sql_file, 0, "\n--\n-- Table structure for table %s\n--\n\n", - result_table); + fix_identifier_with_newline(result_table)); if (opt_drop) { @@ -2785,7 +2812,7 @@ static uint get_table_structure(char *table, char *db, char *table_type, print_comment(sql_file, 0, "\n--\n-- Table structure for table %s\n--\n\n", - result_table); + fix_identifier_with_newline(result_table)); if (opt_drop) fprintf(sql_file, "DROP TABLE IF EXISTS %s;\n", result_table); if (!opt_xml) @@ -3490,21 +3517,23 @@ static void dump_table(char *table, char *db) { print_comment(md_result_file, 0, "\n--\n-- Dumping data for table %s\n--\n", - result_table); + fix_identifier_with_newline(result_table)); dynstr_append_checked(&query_string, "SELECT /*!40001 SQL_NO_CACHE */ * FROM "); dynstr_append_checked(&query_string, result_table); if (where) { - print_comment(md_result_file, 0, "-- WHERE: %s\n", where); + print_comment(md_result_file, 0, "-- WHERE: %s\n", + fix_identifier_with_newline(where)); dynstr_append_checked(&query_string, " WHERE "); dynstr_append_checked(&query_string, where); } if (order_by) { - print_comment(md_result_file, 0, "-- ORDER BY: %s\n", order_by); + print_comment(md_result_file, 0, "-- ORDER BY: %s\n", + fix_identifier_with_newline(order_by)); dynstr_append_checked(&query_string, " ORDER BY "); dynstr_append_checked(&query_string, order_by); @@ -4275,7 +4304,8 @@ static int init_dumping(char *database, int init_func(char*)) char *qdatabase= quote_name(database,quoted_database_buf,opt_quoted); print_comment(md_result_file, 0, - "\n--\n-- Current Database: %s\n--\n", qdatabase); + "\n--\n-- Current Database: %s\n--\n", + fix_identifier_with_newline(qdatabase)); /* Call the view or table specific function */ init_func(qdatabase); @@ -5281,7 +5311,7 @@ static my_bool get_view_structure(char *table, char* db) print_comment(sql_file, 0, "\n--\n-- Final view structure for view %s\n--\n\n", - result_table); + fix_identifier_with_newline(result_table)); /* Table might not exist if this view was dumped with --tab. */ fprintf(sql_file, "/*!50001 DROP TABLE IF EXISTS %s*/;\n", opt_quoted_table); -- cgit v1.2.1 From 0001049be0af0d5386cbf6009aeb2101243b311a Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Tue, 18 Apr 2017 11:36:11 +0200 Subject: MDEV-12276 Missing DBUG_RETURN or DBUG_VOID_RETURN macro in function "do_exec" --- client/mysqltest.cc | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'client') diff --git a/client/mysqltest.cc b/client/mysqltest.cc index 5327bb7717b..b22959677d0 100644 --- a/client/mysqltest.cc +++ b/client/mysqltest.cc @@ -1038,7 +1038,7 @@ void do_eval(DYNAMIC_STRING *query_eval, const char *query, if (!(v= var_get(p, &p, 0, 0))) { report_or_die( "Bad variable in eval"); - return; + DBUG_VOID_RETURN; } dynstr_append_mem(query_eval, v->str_val, v->str_val_len); } @@ -1753,7 +1753,7 @@ static int run_command(char* cmd, if (!(res_file= popen(cmd, "r"))) { report_or_die("popen(\"%s\", \"r\") failed", cmd); - return -1; + DBUG_RETURN(-1); } while (fgets(buf, sizeof(buf), res_file)) @@ -2661,7 +2661,7 @@ void var_query_set(VAR *var, const char *query, const char** query_end) report_or_die("Query '%s' didn't return a result set", ds_query.str); dynstr_free(&ds_query); eval_expr(var, "", 0); - return; + DBUG_VOID_RETURN; } dynstr_free(&ds_query); @@ -2852,7 +2852,7 @@ void var_set_query_get_value(struct st_command *command, VAR *var) dynstr_free(&ds_query); dynstr_free(&ds_col); eval_expr(var, "", 0); - return; + DBUG_VOID_RETURN; } { @@ -2877,7 +2877,7 @@ void var_set_query_get_value(struct st_command *command, VAR *var) ds_col.str, ds_query.str); dynstr_free(&ds_query); dynstr_free(&ds_col); - return; + DBUG_VOID_RETURN; } DBUG_PRINT("info", ("Found column %d with name '%s'", i, fields[i].name)); @@ -3323,7 +3323,7 @@ void do_exec(struct st_command *command) if (!*cmd) { report_or_die("Missing argument in exec"); - return; + DBUG_VOID_RETURN; } command->last_argument= command->end; @@ -3357,7 +3357,7 @@ void do_exec(struct st_command *command) dynstr_free(&ds_cmd); if (command->abort_on_error) report_or_die("popen(\"%s\", \"r\") failed", command->first_argument); - return; + DBUG_VOID_RETURN; } ds_result= &ds_res; @@ -3415,7 +3415,7 @@ void do_exec(struct st_command *command) ds_cmd.str, error, status, errno, ds_res.str); dynstr_free(&ds_cmd); - return; + DBUG_VOID_RETURN; } DBUG_PRINT("info", @@ -3547,7 +3547,7 @@ void do_system(struct st_command *command) if (strlen(command->first_argument) == 0) { report_or_die("Missing arguments to system, nothing to do!"); - return; + DBUG_VOID_RETURN; } init_dynamic_string(&ds_cmd, 0, command->query_len + 64, 256); @@ -4540,7 +4540,7 @@ void do_perl(struct st_command *command) if (command->abort_on_error) die("popen(\"%s\", \"r\") failed", buf); dynstr_free(&ds_delimiter); - return; + DBUG_VOID_RETURN; } while (fgets(buf, sizeof(buf), res_file)) -- cgit v1.2.1