List:Commits« Previous MessageNext Message »
From:Chad MILLER Date:March 30 2006 8:56pm
Subject:bk commit into 5.0 tree (cmiller:1.2099) BUG#17667
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of cmiller. When cmiller does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet
  1.2099 06/03/30 13:56:20 cmiller@zippy.(none) +2 -0
  Bug#17667: An attacker has the opportunity to bypass query logging.
  
  NUL characters should be illegal anywere in queries, but the comment-
  parsing code did not balk at them, and instead allowed them into the
  server.  When we log queries, we treat queries as C strings (which 
  perhaps we should not), and the illegal character was interpreted as 
  the end of a string.

  tests/mysql_client_test.c
    1.180 06/03/30 13:56:17 cmiller@zippy.(none) +45 -0
    Test that sending a NUL character in the query comment causes a parsing error.

  sql/sql_lex.cc
    1.181 06/03/30 13:56:17 cmiller@zippy.(none) +3 -0
    No longer silently seek over NUL characters in search of the comment's 
    terminating '*' + '/' .  If we encounter a NUL character, abort.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	cmiller
# Host:	zippy.(none)
# Root:	/home/cmiller/work/mysql/mysql-5.0__bug17667

--- 1.180/sql/sql_lex.cc	2006-03-09 19:44:01 -05:00
+++ 1.181/sql/sql_lex.cc	2006-03-30 13:56:17 -05:00
@@ -960,6 +960,9 @@
       while (lex->ptr != lex->end_of_query &&
 	     ((c=yyGet()) != '*' || yyPeek() != '/'))
       {
+        if (c == '\0')
+          return(ABORT_SYM);              // NULLs illegal even in comments
+
 	if (c == '\n')
 	  lex->yylineno++;
       }

--- 1.179/tests/mysql_client_test.c	2006-03-10 13:47:17 -05:00
+++ 1.180/tests/mysql_client_test.c	2006-03-30 13:56:17 -05:00
@@ -28,6 +28,7 @@
 
 
 #include <my_global.h>
+#include <mysqld_error.h>
 #include <my_sys.h>
 #include <mysql.h>
 #include <errmsg.h>
@@ -14823,6 +14824,49 @@
 }
 
 /*
+  Bug #17667: An attacker has the opportunity to bypass query logging.
+*/
+
+static void test_bug17667()
+{
+  NET *net= &mysql->net;
+  int rc;
+  myheader("test_bug17667");
+
+  /* I. Prepare the table */
+  mysql_real_query(mysql,     "drop table if exists t1", 23);
+
+  rc= mysql_real_query(mysql, "create table t1 (i int)", 23);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  mysql_real_query(mysql,     "insert into t1 (i) values (1)", 29);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  mysql_real_query(mysql,     "insert into /* NUL=\0 */ t1 (i) values (2)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+  mysql_real_query(mysql,     "/* NUL=\0 */ insert into t1 (i) values (3)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == ER_PARSE_ERROR);
+
+  mysql_real_query(mysql,     "insert into /* TAB=\t */ t1 (i) values (4)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  mysql_real_query(mysql,     "/* TAB=\t */ insert into t1 (i) values (5)", 41);
+  myquery(rc);
+  DIE_UNLESS(net->last_errno == 0);
+
+  /* II. Cleanup */
+  rc= mysql_real_query(mysql, "drop table t1", 13);
+  myquery(rc);
+}
+
+
+/*
   Bug#14169: type of group_concat() result changed to blob if tmp_table was used
 */
 static void test_bug14169()
@@ -15121,6 +15165,7 @@
   { "test_bug16143", test_bug16143 },
   { "test_bug15613", test_bug15613 },
   { "test_bug14169", test_bug14169 },
+  { "test_bug17667", test_bug17667 },
   { 0, 0 }
 };
Thread
bk commit into 5.0 tree (cmiller:1.2099) BUG#17667Chad MILLER30 Mar