List:Commits« Previous MessageNext Message »
From:Sunanda Menon Date:May 5 2010 1:34pm
Subject:bzr commit into mysql-5.0 branch (sunanda.menon:2862) Bug#53371
View as plain text  
#At file:///net/helheim/store/bteam/bzr/mysql-5.0.91-release/ based on revid:joro@stripped

 2862 Sunanda Menon	2010-05-05
      ------------------------------------------------------------
      revno: 2861
      committer: Georgi Kodinov <joro@stripped>
      branch nick: B53371-5.0-bugteam
      timestamp: Mon 2010-05-03 18:16:51 +0300
      message:
        Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
        
        The server was not checking the supplied to COM_FIELD_LIST table name
        for validity and compliance to acceptable table names standards.
        Fixed by checking the table name for compliance similar to how it's 
        normally checked by the parser and returning an error message if 
        it's not compliant.

    modified:
      sql/sql_parse.cc
      tests/mysql_client_test.c
=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2010-04-29 13:28:16 +0000
+++ b/sql/sql_parse.cc	2010-05-05 13:33:46 +0000
@@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_c
     }
     thd->convert_string(&conv_name, system_charset_info,
 			packet, arg_length, thd->charset());
+    if (check_table_name (conv_name.str, conv_name.length))
+    {
+      /* this is OK due to convert_string() null-terminating the string */
+      my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str);
+      break;
+    }
+
     table_list.alias= table_list.table_name= conv_name.str;
     packet= pend+1;
 

=== modified file 'tests/mysql_client_test.c'
--- a/tests/mysql_client_test.c	2009-08-08 02:32:01 +0000
+++ b/tests/mysql_client_test.c	2010-05-05 13:33:46 +0000
@@ -16679,6 +16679,47 @@ static void test_bug45010()
 }
 
 
+static void test_bug53371()
+{
+  int rc;
+  MYSQL_RES *result;
+
+  myheader("test_bug53371");
+
+  rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+
+  rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)");
+  myquery(rc);
+  rc= mysql_query(mysql, "CREATE DATABASE bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost");
+  myquery(rc);
+
+  rc= mysql_change_user(mysql, "testbug", NULL, "bug53371");
+  myquery(rc);
+
+  rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1");
+  DIE_UNLESS(rc);
+  DIE_UNLESS(mysql_errno(mysql) == 1142);
+
+  result= mysql_list_fields(mysql, "../client_test_db/t1", NULL);
+  DIE_IF(result);
+
+  rc= mysql_change_user(mysql, opt_user, opt_password, current_db);
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP TABLE t1");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP DATABASE bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+  myquery(rc);
+}
+
+
 /*
   Read and parse arguments and MySQL options from my.cnf
 */
@@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug41078", test_bug41078 },
   { "test_bug20023", test_bug20023 },
   { "test_bug45010", test_bug45010 },
+  { "test_bug53371", test_bug53371 },
   { 0, 0 }
 };
 


Attachment: [text/bzr-bundle] bzr/sunanda.menon@sun.com-20100505133346-xr2m07ttmqyx9uvz.bundle
Thread
bzr commit into mysql-5.0 branch (sunanda.menon:2862) Bug#53371Sunanda Menon5 May