From: Date: November 6 2007 6:09pm
Subject: bk commit into 5.1 tree (mattiasj:1.2605) BUG#32091
List-Archive: http://lists.mysql.com/commits/37201
X-Bug: 32091
Message-Id: <20071106170927.0034B50A855@mattiasj-laptop>

Below is the list of changes that have just been committed into a local
5.1 repository of mattiasj. When mattiasj does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-11-06 18:09:21+01:00, mattiasj@mattiasj-laptop.(none) +3 -0
  Bug#32091: Security breach via directory changes
  
  Problem: the table's INDEX and DATA DIR was taken
    directly from the tables first partition,
    and opening for a rename attack similar to
    bug#32111 when ALTER TABLE REMOVE PARTITIONING
  
  Solution: Silently ignore (like some other storage
    engines) the INDEX/DATA DIR for the table.
    (Only use INDEX/DATA DIR for each partitions,
    not for the whole table)

  mysql-test/r/partition_mgm.result@stripped, 2007-11-06 18:09:17+01:00, mattiasj@mattiasj-laptop.(none) +67 -0
    Bug#32091: Security breach via directory changes
    test result

  mysql-test/t/partition_mgm.test@stripped, 2007-11-06 18:09:17+01:00, mattiasj@mattiasj-laptop.(none) +79 -0
    Bug#32091: Security breach via directory changes
    test case

  sql/ha_partition.cc@stripped, 2007-11-06 18:09:17+01:00, mattiasj@mattiasj-laptop.(none) +1 -0
    Bug#32091: Security breach via directory changes
    
    Do not use the first partitions DATA/INDEX DIR
    as the whole tables DATA/INDEX DIR.

diff -Nrup a/mysql-test/r/partition_mgm.result b/mysql-test/r/partition_mgm.result
--- a/mysql-test/r/partition_mgm.result	2007-04-04 16:26:24 +02:00
+++ b/mysql-test/r/partition_mgm.result	2007-11-06 18:09:17 +01:00
@@ -1,4 +1,71 @@
 DROP TABLE IF EXISTS t1;
+GRANT USAGE ON test.* TO eviluser@localhost;
+CREATE DATABASE securedb;
+USE securedb;
+CREATE TABLE t1 (a INT);
+insert into t1 values (0);
+USE test;
+CREATE TABLE t1 (a INT)
+PARTITION BY LIST (a) (
+PARTITION p0 VALUES IN (0)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb',
+PARTITION p1 VALUES IN (1)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/test',
+PARTITION p2 VALUES in (2)
+);
+ALTER TABLE t1 REMOVE PARTITIONING;
+insert into t1 values (1);
+select * from t1;
+a
+1
+USE securedb;
+flush tables;
+select * from t1;
+a
+0
+use test;
+select * from t1;
+a
+1
+drop table t1;
+drop database securedb;
+create database securedb;
+use securedb;
+create table t1 (a int)
+partition by list (a) (
+partition p0 values in (0)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/test'
+  ,partition p1 values in (1)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb'
+);
+use test;
+create table t1 (a int)
+partition by list (a) (
+partition p0 values in (0)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb'
+  ,partition p1 values in (1)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/test'
+);
+ERROR HY000: Can't create/write to file 'MYSQLTEST_VARDIR/master-data/test/t1#P#p0.MYI' (Errcode: 17)
+create table t1 (a int)
+partition by list (a) (
+partition p0 values in (0)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/test'
+  ,partition p1 values in (1)
+DATA DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY 'MYSQLTEST_VARDIR/master-data/securedb'
+);
+ERROR HY000: Can't create/write to file 'MYSQLTEST_VARDIR/master-data/test/t1#P#p0.MYI' (Errcode: 17)
+drop database securedb;
+use test;
+REVOKE USAGE ON *.* FROM eviluser@localhost;
 create table t1 (a int)
 partition by range (a)
 subpartition by key (a)
diff -Nrup a/mysql-test/t/partition_mgm.test b/mysql-test/t/partition_mgm.test
--- a/mysql-test/t/partition_mgm.test	2007-04-04 16:26:24 +02:00
+++ b/mysql-test/t/partition_mgm.test	2007-11-06 18:09:17 +01:00
@@ -4,6 +4,85 @@ DROP TABLE IF EXISTS t1;
 --enable_warnings
 
 #
+# Bug 32091: Security breach via directory changes
+#
+
+GRANT USAGE ON test.* TO eviluser@localhost;
+CREATE DATABASE securedb;
+USE securedb;
+CREATE TABLE t1 (a INT);
+insert into t1 values (0);
+connect(con1,localhost,eviluser,,);
+connection con1;
+USE test;
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+eval CREATE TABLE t1 (a INT)
+PARTITION BY LIST (a) (
+ PARTITION p0 VALUES IN (0)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb',
+ PARTITION p1 VALUES IN (1)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/test',
+ PARTITION p2 VALUES in (2)
+);
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+ALTER TABLE t1 REMOVE PARTITIONING;
+insert into t1 values (1);
+select * from t1;
+
+connection default;
+USE securedb;
+flush tables;
+select * from t1;
+use test;
+select * from t1;
+drop table t1;
+drop database securedb;
+create database securedb;
+use securedb;
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+eval create table t1 (a int)
+ partition by list (a) (
+  partition p0 values in (0)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/test'
+  ,partition p1 values in (1)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb'
+);
+connection con1;
+use test;
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+-- error 1
+eval create table t1 (a int)
+ partition by list (a) (
+  partition p0 values in (0)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb'
+  ,partition p1 values in (1)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/test'
+);
+
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+-- error 1
+eval create table t1 (a int)
+ partition by list (a) (
+  partition p0 values in (0)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/test'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/test'
+  ,partition p1 values in (1)
+  DATA DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb'
+  INDEX DIRECTORY '$MYSQLTEST_VARDIR/master-data/securedb'
+);
+connection default;
+drop database securedb;
+use test;
+REVOKE USAGE ON *.* FROM eviluser@localhost;
+disconnect con1;
+
+#
 # Bug 21143: mysqld hang when error in number of subparts in
 #            REORGANIZE command
 #
diff -Nrup a/sql/ha_partition.cc b/sql/ha_partition.cc
--- a/sql/ha_partition.cc	2007-10-31 13:13:17 +01:00
+++ b/sql/ha_partition.cc	2007-11-06 18:09:17 +01:00
@@ -1599,6 +1599,7 @@ error:
 void ha_partition::update_create_info(HA_CREATE_INFO *create_info)
 {
   m_file[0]->update_create_info(create_info);
+  create_info->data_file_name= create_info->index_file_name = NULL;
   return;
 }