From fc9f3efaec61ea3086c1df2942a1157fdf9ca1c2 Mon Sep 17 00:00:00 2001
From: Mats Kindahl <mats.kindahl@oracle.com>
Date: Wed, 1 Dec 2010 13:54:50 +0100
Subject: BUG#58246: INSTALL PLUGIN not secure & crashable

When installing plugins, there is a missing check
for slash (/) in the path on Windows. Note that on
Windows, both / and \ can be used to separate
directories.

This patch fixes the issue by:
- Adding a FN_DIRSEP symbol for all platforms
  consisting of a string of legal directory
  separators.
- Adding a charset-aware version of strcspn().
- Adding a check_valid_path() function that uses
  my_strcspn() to check if any FN_DIRSEP character
  is in the supplied string.
- Using the check_valid_path() function in
  sql_plugin.cc and sql_udf.cc (which means
  replacing the existing test there).

include/config-netware.h:
  Adding FN_DIRSEP
  ******
  Adding FN_DIRSEP
include/config-win.h:
  Adding FN_DIRSEP
  ******
  Adding FN_DIRSEP
include/m_ctype.h:
  Adding my_strspn() and my_strcspn().

  ******
  Adding my_strspn() and my_strcspn().
include/my_global.h:
  Adding FN_DIRSEP
  ******
  Adding FN_DIRSEP
mysql-test/t/plugin_not_embedded.test:
  Adding test that file names containing / is
  disallowed on *all* platforms.
  ******
  Adding test that file names containing / is
  disallowed on *all* platforms.
sql/sql_plugin.cc:
  Introducing check_if_path() function for
  checking if filename is a path to include
  / on Windows.
  ******
  Introducing check_if_path() function for
  checking if filename is a path to include
  / on Windows.
sql/sql_udf.cc:
  Switching to use check_if_path() function.
  ******
  Switching to use check_if_path() function.
strings/my_strchr.c:
  Adding my_strspn() and my_strcspn().
  ******
  Adding my_strspn() and my_strcspn().
---
 sql/sql_udf.cc | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

(limited to 'sql/sql_udf.cc')

diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc
index d455a66c4f2..1d5335f0652 100644
--- a/sql/sql_udf.cc
+++ b/sql/sql_udf.cc
@@ -173,10 +173,7 @@ void udf_init()
 
       On windows we must check both FN_LIBCHAR and '/'.
     */
-    if (my_strchr(files_charset_info, dl_name,
-                  dl_name + strlen(dl_name), FN_LIBCHAR) ||
-        IF_WIN(my_strchr(files_charset_info, dl_name,
-                         dl_name + strlen(dl_name), '/'), 0) ||
+    if (check_valid_path(dl_name, strlen(dl_name)) ||
         check_string_char_length(&name, "", NAME_CHAR_LEN,
                                  system_charset_info, 1))
     {
@@ -416,13 +413,8 @@ int mysql_create_function(THD *thd,udf_func *udf)
     Ensure that the .dll doesn't have a path
     This is done to ensure that only approved dll from the system
     directories are used (to make this even remotely secure).
-
-    On windows we must check both FN_LIBCHAR and '/'.
   */
-  if (my_strchr(files_charset_info, udf->dl,
-                udf->dl + strlen(udf->dl), FN_LIBCHAR) ||
-      IF_WIN(my_strchr(files_charset_info, udf->dl,
-                       udf->dl + strlen(udf->dl), '/'), 0))
+  if (check_valid_path(udf->dl, strlen(udf->dl)))
   {
     my_message(ER_UDF_NO_PATHS, ER(ER_UDF_NO_PATHS), MYF(0));
     DBUG_RETURN(1);
-- 
cgit v1.2.1