From f80a925e9f30bdcbc67af444704ed87ca4ac6d56 Mon Sep 17 00:00:00 2001 From: Sunanda Menon Date: Wed, 5 May 2010 15:33:46 +0200 Subject: [PATCH 1/3] ------------------------------------------------------------ revno: 2861 committer: Georgi Kodinov branch nick: B53371-5.0-bugteam timestamp: Mon 2010-05-03 18:16:51 +0300 message: Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants. The server was not checking the supplied to COM_FIELD_LIST table name for validity and compliance to acceptable table names standards. Fixed by checking the table name for compliance similar to how it's normally checked by the parser and returning an error message if it's not compliant. --- sql/sql_parse.cc | 7 +++++++ tests/mysql_client_test.c | 42 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 2b43d95dd7c..807d6c09a46 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_command command, THD *thd, } thd->convert_string(&conv_name, system_charset_info, packet, arg_length, thd->charset()); + if (check_table_name (conv_name.str, conv_name.length)) + { + /* this is OK due to convert_string() null-terminating the string */ + my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str); + break; + } + table_list.alias= table_list.table_name= conv_name.str; packet= pend+1; diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 63137bdba93..5b26b96707b 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -16679,6 +16679,47 @@ static void test_bug45010() } +static void test_bug53371() +{ + int rc; + MYSQL_RES *result; + + myheader("test_bug53371"); + + rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1"); + myquery(rc); + rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371"); + myquery(rc); + rc= mysql_query(mysql, "DROP USER 'testbug'@localhost"); + + rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)"); + myquery(rc); + rc= mysql_query(mysql, "CREATE DATABASE bug53371"); + myquery(rc); + rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost"); + myquery(rc); + + rc= mysql_change_user(mysql, "testbug", NULL, "bug53371"); + myquery(rc); + + rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1"); + DIE_UNLESS(rc); + DIE_UNLESS(mysql_errno(mysql) == 1142); + + result= mysql_list_fields(mysql, "../client_test_db/t1", NULL); + DIE_IF(result); + + rc= mysql_change_user(mysql, opt_user, opt_password, current_db); + myquery(rc); + rc= mysql_query(mysql, "DROP TABLE t1"); + myquery(rc); + rc= mysql_query(mysql, "DROP DATABASE bug53371"); + myquery(rc); + rc= mysql_query(mysql, "DROP USER 'testbug'@localhost"); + myquery(rc); +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= { { "test_bug41078", test_bug41078 }, { "test_bug20023", test_bug20023 }, { "test_bug45010", test_bug45010 }, + { "test_bug53371", test_bug53371 }, { 0, 0 } }; From 8cf7586e43895f5644674ba5d68e224c8d7671fc Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Tue, 1 Jun 2010 15:14:38 +0300 Subject: [PATCH 2/3] Bug #54138 : making main.sp and rpl.rpl_row_sp011 experimental on solaris --- mysql-test/collections/default.experimental | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mysql-test/collections/default.experimental b/mysql-test/collections/default.experimental index d791686cd62..c123e400f17 100644 --- a/mysql-test/collections/default.experimental +++ b/mysql-test/collections/default.experimental @@ -14,11 +14,13 @@ funcs_2.ndb_charset # joro : NDB tests marked as experiment main.ctype_gbk_binlog @solaris # Bug#46010: main.ctype_gbk_binlog fails sporadically : Table 't2' already exists main.plugin_load @solaris # Bug#42144 +main.sp @solaris # joro : Bug#54138 main.outfile_loaddata @solaris # joro : Bug #46895 ndb.* # joro : NDB tests marked as experimental as agreed with bochklin rpl.rpl_innodb_bug28430* @solaris # Bug#46029 +rpl.rpl_row_sp011 @solaris # Joro : Bug #54138 rpl_ndb.* # joro : NDB tests marked as experimental as agreed with bochklin rpl_ndb.rpl_ndb_log # Bug#38998 From 6b101d4ffc8ed7706a27a0057552ad83c225f627 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Tue, 1 Jun 2010 15:16:35 +0300 Subject: [PATCH 3/3] Bug#40928 : make main.func_str experimental on Solaris --- mysql-test/collections/default.experimental | 1 + 1 file changed, 1 insertion(+) diff --git a/mysql-test/collections/default.experimental b/mysql-test/collections/default.experimental index c123e400f17..11c6613a9f7 100644 --- a/mysql-test/collections/default.experimental +++ b/mysql-test/collections/default.experimental @@ -13,6 +13,7 @@ funcs_1.ndb* # joro : NDB tests marked as experiment funcs_2.ndb_charset # joro : NDB tests marked as experimental as agreed with bochklin main.ctype_gbk_binlog @solaris # Bug#46010: main.ctype_gbk_binlog fails sporadically : Table 't2' already exists +main.func_str @solaris # joro: Bug#40928 main.plugin_load @solaris # Bug#42144 main.sp @solaris # joro : Bug#54138 main.outfile_loaddata @solaris # joro : Bug #46895