Hi!
On Nov 28, gluh@stripped wrote:
> ChangeSet@stripped, 2007-11-28 13:53:01+04:00, gluh@stripped +3 -0
> Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(2nd version)
> added new function test_if_data_home_dir() which checks that
> path does not contain mysql data home directory.
> Using of mysql data home directory in
> DATA DIRECTORY & INDEX DIRECTORY is disallowed.
>
> mysql-test/r/symlink.result@stripped, 2007-11-28 13:53:01+04:00, gluh@stripped +12 -0
> test result
>
> mysql-test/t/symlink.test@stripped, 2007-11-28 13:53:01+04:00, gluh@stripped +17 -0
> test case
>
> sql/sql_parse.cc@stripped, 2007-11-28 13:53:01+04:00, gluh@stripped +48 -0
> added new function test_if_data_home_dir() which checks that
> path does not contain mysql data home directory.
> Using of mysql data home directory in
> DATA DIRECTORY & INDEX DIRECTORY is disallowed.
>
> --- 1.397/sql/sql_parse.cc 2006-04-26 04:41:10 +05:00
> +++ 1.398/sql/sql_parse.cc 2007-11-28 13:53:01 +04:00
> @@ -1681,6 +1682,16 @@ mysql_execute_command(void)
> #ifndef HAVE_READLINK
> lex->create_info.data_file_name=lex->create_info.index_file_name=0;
> #else
> +
> + if (lex->create_info.data_file_name &&
> + test_if_data_home_dir(lex->create_info.data_file_name) ||
> + lex->create_info.index_file_name &&
> + test_if_data_home_dir(lex->create_info.index_file_name))
> + {
> + my_message(ER_UNKNOWN_ERROR, "Can't use data home directory", MYF(0));
find an appropriate error message in, say, 5.0 (e.g. ER_WRONG_ARGUMENTS
looks good), and use it in 5.0. For some kind of consistency use the
error message of that error (ER_WRONG_ARGUMENTS or whatever) in
ER_UNKNOWN_ERROR.
> + res= -1;
> + break;
> + }
> /* Fix names if symlinked tables */
> if (append_file_to_dir(thd, &lex->create_info.data_file_name,
> tables->real_name) ||
> @@ -4040,4 +4051,41 @@ static bool check_multi_update_lock(THD
>
> error:
> DBUG_RETURN(res);
> +}
> +
> +
> +/*
> + Check if path does not contain mysql data home directory
> +
> + SYNOPSIS
> + test_if_data_home_dir()
> + dir directory
> +
> + RETURN VALUES
> + 0 ok
> + 1 error
> +*/
> +
> +static bool test_if_data_home_dir(const char *dir)
> +{
> + uint home_dir_len= strlen(mysql_real_data_home);
> + uint dir_len;
> + char path[FN_REFLEN], conv_path[FN_REFLEN];
> + DBUG_ENTER("test_if_data_home_dir");
> +
> + (void) fn_format(path, dir, "", "", MY_RETURN_REAL_PATH);
are symlinks resolved in the mysql_real_data_home ?
I didn't see that we do it (call realpath(mysql_real_data_home)).
> + dir_len= unpack_dirname(conv_path, dir);
> + if (home_dir_len <= dir_len)
> + {
> + if (lower_case_file_system)
> + {
> + if (!my_strnncoll(default_charset_info, (const uchar*) conv_path,
> home_dir_len,
> + (const uchar*) mysql_real_data_home, home_dir_len))
> + DBUG_RETURN(1);
> + }
> + else if (!memcmp(conv_path, mysql_real_data_home, home_dir_len))
I don't understand why you needs this memcmp.
> + DBUG_RETURN(1);
> + }
> +
> + DBUG_RETURN(0);
> }
>
Regards / Mit vielen Grüssen,
Sergei
--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg@stripped>
/ /|_/ / // /\ \/ /_/ / /__ Principal Software Developer
/_/ /_/\_, /___/\___\_\___/ MySQL GmbH, Dachauer Str. 37, D-80335 München
<___/ Geschäftsführer: Kaj Arnö - HRB
München 162140
