#At file:///net/helheim/store/bteam/bzr/mysql-5.0.91-release/ based on revid:joro@stripped
2862 Sunanda Menon 2010-05-05
------------------------------------------------------------
revno: 2861
committer: Georgi Kodinov <joro@stripped>
branch nick: B53371-5.0-bugteam
timestamp: Mon 2010-05-03 18:16:51 +0300
message:
Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
The server was not checking the supplied to COM_FIELD_LIST table name
for validity and compliance to acceptable table names standards.
Fixed by checking the table name for compliance similar to how it's
normally checked by the parser and returning an error message if
it's not compliant.
modified:
sql/sql_parse.cc
tests/mysql_client_test.c
=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc 2010-04-29 13:28:16 +0000
+++ b/sql/sql_parse.cc 2010-05-05 13:33:46 +0000
@@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_c
}
thd->convert_string(&conv_name, system_charset_info,
packet, arg_length, thd->charset());
+ if (check_table_name (conv_name.str, conv_name.length))
+ {
+ /* this is OK due to convert_string() null-terminating the string */
+ my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str);
+ break;
+ }
+
table_list.alias= table_list.table_name= conv_name.str;
packet= pend+1;
=== modified file 'tests/mysql_client_test.c'
--- a/tests/mysql_client_test.c 2009-08-08 02:32:01 +0000
+++ b/tests/mysql_client_test.c 2010-05-05 13:33:46 +0000
@@ -16679,6 +16679,47 @@ static void test_bug45010()
}
+static void test_bug53371()
+{
+ int rc;
+ MYSQL_RES *result;
+
+ myheader("test_bug53371");
+
+ rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1");
+ myquery(rc);
+ rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371");
+ myquery(rc);
+ rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+
+ rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)");
+ myquery(rc);
+ rc= mysql_query(mysql, "CREATE DATABASE bug53371");
+ myquery(rc);
+ rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost");
+ myquery(rc);
+
+ rc= mysql_change_user(mysql, "testbug", NULL, "bug53371");
+ myquery(rc);
+
+ rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1");
+ DIE_UNLESS(rc);
+ DIE_UNLESS(mysql_errno(mysql) == 1142);
+
+ result= mysql_list_fields(mysql, "../client_test_db/t1", NULL);
+ DIE_IF(result);
+
+ rc= mysql_change_user(mysql, opt_user, opt_password, current_db);
+ myquery(rc);
+ rc= mysql_query(mysql, "DROP TABLE t1");
+ myquery(rc);
+ rc= mysql_query(mysql, "DROP DATABASE bug53371");
+ myquery(rc);
+ rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+ myquery(rc);
+}
+
+
/*
Read and parse arguments and MySQL options from my.cnf
*/
@@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug41078", test_bug41078 },
{ "test_bug20023", test_bug20023 },
{ "test_bug45010", test_bug45010 },
+ { "test_bug53371", test_bug53371 },
{ 0, 0 }
};
Attachment: [text/bzr-bundle] bzr/sunanda.menon@sun.com-20100505133346-xr2m07ttmqyx9uvz.bundle
| Thread |
|---|
| • bzr commit into mysql-5.0 branch (sunanda.menon:2862) Bug#53371 | Sunanda Menon | 5 May |
