List:Commits« Previous MessageNext Message »
From:joerg Date:November 15 2007 9:55am
Subject:bk commit into 5.0-community tree (joerg:1.2539) BUG#32111
View as plain text  
Below is the list of changes that have just been committed into a local
5.0-community repository of mysqldev. When mysqldev does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-11-15 10:55:47+01:00, joerg@stripped +3 -0
  BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
  
  RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites
  the file to which the symlink points.
  
  This is security issue, because it is possible to create a table with
  some name in some non-system database and set DATA/INDEX DIRECTORY
  to mysql system database. Renaming this table to one of mysql system
  tables (e.g. user, host) would overwrite the system table.
  
  Return an error when the file to which the symlink points exist.
  
  (This is a copy of changeset 2007/11/06 18:09:33+04:00 svoj@stripped
  and its merge changesets on the way from 4.0 up to 5.0)

  mysql-test/r/symlink.result@stripped, 2007-11-15 10:55:43+01:00, joerg@stripped +6 -0
    A test case for BUG#32111, with after merge fix, and using proper variable.

  mysql-test/t/symlink.test@stripped, 2007-11-15 10:55:43+01:00, joerg@stripped +12 -0
    A test case for BUG#32111, with after merge fix, and using proper variable.

  mysys/my_symlink2.c@stripped, 2007-11-15 10:55:43+01:00, joerg@stripped +10 -1
    Return an error when the file to which the symlink points exist.

diff -Nrup a/mysql-test/r/symlink.result b/mysql-test/r/symlink.result
--- a/mysql-test/r/symlink.result	2007-07-13 15:32:27 +02:00
+++ b/mysql-test/r/symlink.result	2007-11-15 10:55:43 +01:00
@@ -99,6 +99,12 @@ t1	CREATE TABLE `t1` (
   `b` int(11) default NULL
 ) ENGINE=MyISAM DEFAULT CHARSET=latin1
 drop table t1;
+CREATE TABLE t1(a INT)
+DATA DIRECTORY='TEST_DIR/master-data/mysql'
+INDEX DIRECTORY='TEST_DIR/master-data/mysql';
+RENAME TABLE t1 TO user;
+ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17)
+DROP TABLE t1;
 show create table t1;
 Table	Create Table
 t1	CREATE TABLE `t1` (
diff -Nrup a/mysql-test/t/symlink.test b/mysql-test/t/symlink.test
--- a/mysql-test/t/symlink.test	2007-07-13 15:32:27 +02:00
+++ b/mysql-test/t/symlink.test	2007-11-15 10:55:43 +01:00
@@ -125,6 +125,18 @@ show create table t1;
 drop table t1;
 
 #
+# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE
+#
+--replace_result $MYSQLTEST_VARDIR TEST_DIR
+eval CREATE TABLE t1(a INT)
+DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'
+INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql';
+--replace_result $MYSQLTEST_VARDIR TEST_DIR
+--error 1
+RENAME TABLE t1 TO user;
+DROP TABLE t1;
+
+#
 # Test specifying DATA DIRECTORY that is the same as what would normally
 # have been chosen. (Bug #8707)
 #
diff -Nrup a/mysys/my_symlink2.c b/mysys/my_symlink2.c
--- a/mysys/my_symlink2.c	2007-07-18 14:33:39 +02:00
+++ b/mysys/my_symlink2.c	2007-11-15 10:55:43 +01:00
@@ -126,6 +126,7 @@ int my_rename_with_symlink(const char *f
   int was_symlink= (!my_disable_symlinks &&
 		    !my_readlink(link_name, from, MYF(0)));
   int result=0;
+  int name_is_different;
   DBUG_ENTER("my_rename_with_symlink");
 
   if (!was_symlink)
@@ -134,6 +135,14 @@ int my_rename_with_symlink(const char *f
   /* Change filename that symlink pointed to */
   strmov(tmp_name, to);
   fn_same(tmp_name,link_name,1);		/* Copy dir */
+  name_is_different= strcmp(link_name, tmp_name);
+  if (name_is_different && !access(tmp_name, F_OK))
+  {
+    my_errno= EEXIST;
+    if (MyFlags & MY_WME)
+      my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST);
+    DBUG_RETURN(1);
+  }
 
   /* Create new symlink */
   if (my_symlink(tmp_name, to, MyFlags))
@@ -145,7 +154,7 @@ int my_rename_with_symlink(const char *f
     the same basename and different directories.
    */
 
-  if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags))
+  if (name_is_different && my_rename(link_name, tmp_name, MyFlags))
   {
     int save_errno=my_errno;
     my_delete(to, MyFlags);			/* Remove created symlink */
Thread
bk commit into 5.0-community tree (joerg:1.2539) BUG#32111joerg15 Nov