List:Commits« Previous MessageNext Message »
From:Li-Bing.Song Date:June 24 2010 10:24am
Subject:bzr commit into mysql-5.1-bugteam branch (Li-Bing.Song:3438) Bug#49124
View as plain text  
#At file:///home/anders/work/bzrwork1/wt1/mysql-5.1-bugteam/ based on revid:sergey.glukhov@stripped

 3438 Li-Bing.Song@stripped	2010-06-24
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave
      
      /*!50200 Query Code */ is a special comment that the query in it can
      be executed on those servers whose versions are larger than the 
      version appearing in the comment. It leads to a security issue when
      slave's version is larger than master's. A malicious user can improve
      his privileges on slaves. Because slave SQL thread is running with 
      SUPER privileges, so it can execute queries that he/she does not have
      privileges on master.
      
      This bug is fixed with the logic below: 
      - Use '#' instead of '!' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*#99999 ,(3)*/

    added:
      mysql-test/suite/rpl/r/rpl_magic_comments.result
      mysql-test/suite/rpl/t/rpl_magic_comments.test
    modified:
      sql/sql_lex.cc
      sql/sql_lex.h
=== added file 'mysql-test/suite/rpl/r/rpl_magic_comments.result'
--- a/mysql-test/suite/rpl/r/rpl_magic_comments.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/suite/rpl/r/rpl_magic_comments.result	2010-06-24 10:18:04 +0000
@@ -0,0 +1,50 @@
+stop slave;
+drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
+reset master;
+reset slave;
+drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
+start slave;
+CREATE TABLE t1(c1 INT);
+show binlog events from <binlog_start>;
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+master-bin.000001	#	Query	#	#	use `test`; CREATE TABLE t1(c1 INT)
+
+# Case 1:
+# ------------------------------------------------------------------
+# In a statement, some MCs are applied while others are not. The Mcs
+# which are not applied on master will be binlogged as common comments.
+/*!99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /*!99999 ,(11)*/;
+show binlog events from <binlog_start>;
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+master-bin.000001	#	Query	#	#	use `test`; /*#99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /*#99999 ,(11)*/
+Comparing tables master:test.t1 and slave:test.t1
+
+# Case 2:
+# -----------------------------------------------------------------
+# Verify whether it can be binlogged correctly when executing prepared
+# statement.
+PREPARE stmt FROM 'INSERT INTO /*!99999 blabla*/ t1 VALUES(60) /*!99999 ,(61)*/';
+EXECUTE stmt;
+DROP TABLE t1;
+CREATE TABLE t1(c1 INT);
+EXECUTE stmt;
+Comparing tables master:test.t1 and slave:test.t1
+
+SET @value=62;
+PREPARE stmt FROM 'INSERT INTO /*!99999 blabla */ t1 VALUES(?) /*!99999 ,(63)*/';
+EXECUTE stmt USING @value;
+DROP TABLE t1;
+CREATE TABLE t1(c1 INT);
+EXECUTE stmt USING @value;
+show binlog events from <binlog_start>;
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /*#99999 blabla*/ t1 VALUES(60) /*#99999 ,(61)*/
+master-bin.000001	#	Query	#	#	use `test`; DROP TABLE t1
+master-bin.000001	#	Query	#	#	use `test`; CREATE TABLE t1(c1 INT)
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /*#99999 blabla*/ t1 VALUES(60) /*#99999 ,(61)*/
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /*#99999 blabla */ t1 VALUES(62) /*#99999 ,(63)*/
+master-bin.000001	#	Query	#	#	use `test`; DROP TABLE t1
+master-bin.000001	#	Query	#	#	use `test`; CREATE TABLE t1(c1 INT)
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /*#99999 blabla */ t1 VALUES(62) /*#99999 ,(63)*/
+Comparing tables master:test.t1 and slave:test.t1
+DROP TABLE t1;

=== added file 'mysql-test/suite/rpl/t/rpl_magic_comments.test'
--- a/mysql-test/suite/rpl/t/rpl_magic_comments.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/suite/rpl/t/rpl_magic_comments.test	2010-06-24 10:18:04 +0000
@@ -0,0 +1,67 @@
+###############################################################################
+# After the patch for BUG#49124:
+#  - Use '#' instead of '!' in the magic comments which are not applied on
+#  master. So they become common comments and will not be applied on slave.
+#
+#  - Example: 
+#  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/ will be
+#  binlogged as 
+#  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*#99999 ,(3)*/'.
+###############################################################################
+source include/master-slave.inc;
+source include/have_binlog_format_statement.inc;
+
+CREATE TABLE t1(c1 INT);
+source include/show_binlog_events.inc;
+let $binlog_start= query_get_value(SHOW MASTER STATUS, Position, 1);
+
+--echo
+--echo # Case 1:
+--echo # ------------------------------------------------------------------
+--echo # In a statement, some MCs are applied while others are not. The Mcs
+--echo # which are not applied on master will be binlogged as common comments.
+
+/*!99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /*!99999 ,(11)*/;
+
+source include/show_binlog_events.inc;
+let $binlog_start= query_get_value(SHOW MASTER STATUS, Position, 1);
+sync_slave_with_master;
+let $diff_table_1=master:test.t1;
+let $diff_table_2=slave:test.t1;
+source include/diff_tables.inc;
+
+--echo
+--echo # Case 2:
+--echo # -----------------------------------------------------------------
+--echo # Verify whether it can be binlogged correctly when executing prepared
+--echo # statement.
+PREPARE stmt FROM 'INSERT INTO /*!99999 blabla*/ t1 VALUES(60) /*!99999 ,(61)*/';
+EXECUTE stmt;
+DROP TABLE t1;
+CREATE TABLE t1(c1 INT);
+EXECUTE stmt;
+
+sync_slave_with_master;
+let $diff_table_1=master:test.t1;
+let $diff_table_2=slave:test.t1;
+source include/diff_tables.inc;
+
+--echo
+SET @value=62;
+PREPARE stmt FROM 'INSERT INTO /*!99999 blabla */ t1 VALUES(?) /*!99999 ,(63)*/';
+EXECUTE stmt USING @value;
+DROP TABLE t1;
+CREATE TABLE t1(c1 INT);
+EXECUTE stmt USING @value;
+
+source include/show_binlog_events.inc;
+let $binlog_start= query_get_value(SHOW MASTER STATUS, Position, 1);
+
+sync_slave_with_master;
+let $diff_table_1=master:test.t1;
+let $diff_table_2=slave:test.t1;
+source include/diff_tables.inc;
+
+DROP TABLE t1;
+sync_slave_with_master;
+source include/master-slave-end.inc;

=== modified file 'sql/sql_lex.cc'
--- a/sql/sql_lex.cc	2010-06-11 12:52:06 +0000
+++ b/sql/sql_lex.cc	2010-06-24 10:18:04 +0000
@@ -1304,6 +1304,7 @@ int MYSQLlex(void *arg, void *yythd)
           }
           else
           {
+            lip->yySet(-6, '#');
             comment_closed= ! consume_comment(lip, 1);
             /* version allowed to have one level of comment inside. */
           }

=== modified file 'sql/sql_lex.h'
--- a/sql/sql_lex.h	2010-06-11 12:52:06 +0000
+++ b/sql/sql_lex.h	2010-06-24 10:18:04 +0000
@@ -1220,6 +1220,17 @@ public:
   }
 
   /**
+    Assign a character to a given position in the buf.
+    @param n the position related to m_ptr.
+    @param c the value which should be set into the buf.
+  */
+  void yySet(int n, char c)
+  {
+    char *ptr= (char *)m_ptr + n;
+    *ptr= c;
+  }
+
+  /**
     Get a character, and advance in the stream.
     @return the next character to parse.
   */


Attachment: [text/bzr-bundle] bzr/li-bing.song@sun.com-20100624101804-he6g9oivvehdfjue.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (Li-Bing.Song:3438) Bug#49124Li-Bing.Song24 Jun
  • Re: bzr commit into mysql-5.1-bugteam branch (Li-Bing.Song:3438)Bug#49124He Zhenxing29 Jun