Fixes for bugs reported by Stefano Di Paola (stefano.dipaola@wisec.it)

include/my_global.h: O_NOFOLLOW isam/create.c: create table files with O_EXCL|O_NOFOLLOW merge/mrg_create.c: create table files with O_EXCL|O_NOFOLLOW myisam/mi_create.c: create files of temporary tables with O_EXCL|O_NOFOLLOW myisammrg/myrg_create.c: create table files with O_EXCL|O_NOFOLLOW mysys/mf_tempfile.c: create temporary files with O_EXCL|O_NOFOLLOW sql/ha_myisam.cc: let mi_create know if the table is TEMPORARY sql/mysql_priv.h: --allow_suspicious_udfs sql/mysqld.cc: --allow_suspicious_udfs sql/share/english/errmsg.txt: typo sql/sql_udf.cc: --allow_suspicious_udfs don't allow xxx() udf without any of xxx_init/deinit/add/reset check paths when loading from mysql.func sql/table.cc: create frm of temporary table with O_EXCL|O_NOFOLLOW
2005-03-03 19:51:29 +01:00 · 2005-03-03 19:51:29 +01:00 · 8104faa083
commit 8104faa083
parent 026bb52678
12 changed files with 114 additions and 59 deletions
--- a/include/my_global.h
+++ b/include/my_global.h
@ -500,6 +500,9 @@ typedef SOCKET_SIZE_TYPE size_socket;
 #ifndef O_SHORT_LIVED
 #define O_SHORT_LIVED	0
 #endif
 #ifndef O_NOFOLLOW
 #define O_NOFOLLOW      0
 #endif
 /* #define USE_RECORD_LOCK	*/
--- a/isam/create.c
+++ b/isam/create.c
@ -58,13 +58,14 @@ int nisam_create(const char *name,uint keys,N_KEYDEF *keyinfo,
  base_pos=512;					/* Enough for N_STATE_INFO */
  bzero((byte*) &share,sizeof(share));
  if ((file = my_create(fn_format(buff,name,"",N_NAME_IEXT,4),0,
-       O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+       O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0)
    goto err;
  errpos=1;
  VOID(fn_format(buff,name,"",N_NAME_DEXT,2+4));
  if (!(flags & HA_DONT_TOUCH_DATA))
  {
-    if ((dfile = my_create(buff,0,O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+    if ((dfile = my_create(buff,0,O_RDWR | O_EXCL | O_NOFOLLOW,
                           MYF(MY_WME))) < 0)
      goto err;
    errpos=2;
  }
--- a/merge/mrg_create.c
+++ b/merge/mrg_create.c
@ -33,7 +33,7 @@ int mrg_create(const char *name, const char**table_names)
  errpos=0;
  if ((file = my_create(fn_format(buff,name,"",MRG_NAME_EXT,4),0,
-       O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+       O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0)
    goto err;
  errpos=1;
  if (table_names)
--- a/myisam/mi_create.c
+++ b/myisam/mi_create.c
@ -37,7 +37,7 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs,
 {
  register uint i,j;
  File dfile,file;
-  int errpos,save_errno;
+  int errpos,save_errno, create_mode= O_RDWR | O_TRUNC;
  myf create_flag;
  uint fields,length,max_key_length,packed,pointer,
       key_length,info_length,key_segs,options,min_key_length_skipp,
@ -174,7 +174,10 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs,
    min_pack_length+=varchar_length+2*varchar_count;
  }
  if (flags & HA_CREATE_TMP_TABLE)
  {
    options|= HA_OPTION_TMP_TABLE;
    create_mode|= O_EXCL | O_NOFOLLOW;
  }
  if (flags & HA_CREATE_CHECKSUM || (options & HA_OPTION_CHECKSUM))
  {
    options|= HA_OPTION_CHECKSUM;
@ -508,9 +511,7 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs,
    create_flag=MY_DELETE_OLD;
  }
-  if ((file= my_create_with_symlink(linkname_ptr,
+  if ((file= my_create_with_symlink(linkname_ptr, filename, 0, create_mode,
 				    filename,
 				    0, O_RDWR | O_TRUNC,
 				    MYF(MY_WME | create_flag))) < 0)
    goto err;
  errpos=1;
@ -521,7 +522,7 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs,
    if (share.base.raid_type)
    {
      (void) fn_format(filename,name,"",MI_NAME_DEXT,2+4);
-      if ((dfile=my_raid_create(filename,0,O_RDWR | O_TRUNC,
+      if ((dfile=my_raid_create(filename, 0, create_mode
 				share.base.raid_type,
 				share.base.raid_chunks,
 				share.base.raid_chunksize,
@ -545,8 +546,7 @@ int mi_create(const char *name,uint keys,MI_KEYDEF *keydefs,
 	create_flag=MY_DELETE_OLD;
      }
      if ((dfile=
-	   my_create_with_symlink(linkname_ptr, filename,
+	   my_create_with_symlink(linkname_ptr, filename, 0, create_mode,
 				  0,O_RDWR | O_TRUNC,
 				  MYF(MY_WME | create_flag))) < 0)
 	goto err;
    }
--- a/myisammrg/myrg_create.c
+++ b/myisammrg/myrg_create.c
@ -34,7 +34,7 @@ int myrg_create(const char *name, const char **table_names,
  errpos=0;
  if ((file = my_create(fn_format(buff,name,"",MYRG_NAME_EXT,4),0,
-       O_RDWR | O_TRUNC,MYF(MY_WME))) < 0)
+       O_RDWR | O_EXCL | O_NOFOLLOW,MYF(MY_WME))) < 0)
    goto err;
  errpos=1;
  if (table_names)
--- a/mysys/mf_tempfile.c
+++ b/mysys/mf_tempfile.c
@ -70,7 +70,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix,
    {
      strmake(to,res,FN_REFLEN-1);
      (*free)(res);
-      file=my_create(to,0, mode, MyFlags);
+      file=my_create(to,0, mode | O_EXCL | O_NOFOLLOW, MyFlags);
    }
    environ=old_env;
  }
@ -81,7 +81,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix,
  {
    strmake(to,res,FN_REFLEN-1);
    (*free)(res);
-    file=my_create(to, 0, mode, MyFlags);
+    file=my_create(to, 0, mode | O_EXCL | O_NOFOLLOW, MyFlags);
  }
 #elif defined(HAVE_MKSTEMP) && !defined(__NETWARE__)
  {
@ -143,7 +143,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix,
      strmake(to,res,FN_REFLEN-1);
      (*free)(res);
      file=my_create(to,0,
-		     (int) (O_RDWR | O_BINARY | O_TRUNC |
+		     (int) (O_RDWR | O_BINARY | O_TRUNC | O_EXCL | O_NOFOLLOW |
 			    O_TEMPORARY | O_SHORT_LIVED),
 		     MYF(MY_WME));
@ -186,7 +186,7 @@ File create_temp_file(char *to, const char *dir, const char *prefix,
      }
      (void) strmov(end_pos,TMP_EXT);
      file=my_create(to,0,
-		     (int) (O_RDWR | O_BINARY | O_TRUNC |
+		     (int) (O_RDWR | O_BINARY | O_TRUNC | O_EXCL | O_NOFOLLOW |
 			    O_TEMPORARY | O_SHORT_LIVED),
 		     MYF(MY_WME));
    }
--- a/sql/ha_myisam.cc
+++ b/sql/ha_myisam.cc
@ -1052,7 +1052,7 @@ int ha_myisam::create(const char *name, register TABLE *table_arg,
 		      HA_CREATE_INFO *info)
 {
  int error;
-  uint i,j,recpos,minpos,fieldpos,temp_length,length;
+  uint i,j,recpos,minpos,fieldpos,temp_length,length, create_flags;
  bool found_real_auto_increment=0;
  enum ha_base_keytype type;
  char buff[FN_REFLEN];
@ -1224,17 +1224,21 @@ int ha_myisam::create(const char *name, register TABLE *table_arg,
  create_info.data_file_name= info->data_file_name;
  create_info.index_file_name=info->index_file_name;
  if (info->options & HA_LEX_CREATE_TMP_TABLE)
    create_flags|= HA_CREATE_TMP_TABLE;
  if (options & HA_OPTION_PACK_RECORD)
    create_flags|= HA_PACK_RECORD;
  if (options & HA_OPTION_CHECKSUM)
    create_flags|= HA_CREATE_CHECKSUM;
  if (options & HA_OPTION_DELAY_KEY_WRITE)
    create_flags|= HA_CREATE_DELAY_KEY_WRITE;
  /* TODO: Check that the following fn_format is really needed */
  error=mi_create(fn_format(buff,name,"","",2+4),
 		  table_arg->keys,keydef,
 		  (uint) (recinfo_pos-recinfo), recinfo,
 		  0, (MI_UNIQUEDEF*) 0,
-		  &create_info,
+		  &create_info, create_flags);
 		  (((options & HA_OPTION_PACK_RECORD) ? HA_PACK_RECORD : 0) |
 		   ((options & HA_OPTION_CHECKSUM) ? HA_CREATE_CHECKSUM : 0) |
 		   ((options & HA_OPTION_DELAY_KEY_WRITE) ?
 		    HA_CREATE_DELAY_KEY_WRITE : 0)));
  my_free((gptr) recinfo,MYF(0));
  DBUG_RETURN(error);
--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@ -728,7 +728,7 @@ extern my_bool opt_sql_bin_update, opt_safe_user_create, opt_no_mix_types;
 extern my_bool opt_safe_show_db, opt_local_infile;
 extern my_bool opt_slave_compressed_protocol, use_temp_pool;
 extern my_bool opt_readonly, lower_case_file_system;
-extern my_bool opt_enable_named_pipe, opt_sync_frm;
+extern my_bool opt_enable_named_pipe, opt_sync_frm, opt_allow_suspicious_udfs;
 extern MYSQL_LOG mysql_log,mysql_update_log,mysql_slow_log,mysql_bin_log;
 extern FILE *bootstrap_file;
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@ -302,7 +302,7 @@ static pthread_t select_thread;
 static my_bool opt_noacl=0, opt_bootstrap=0, opt_myisam_log=0;
 my_bool opt_safe_user_create = 0, opt_no_mix_types = 0;
 my_bool opt_show_slave_auth_info, opt_sql_bin_update = 0;
-my_bool opt_log_slave_updates= 0, opt_console= 0;
+my_bool opt_log_slave_updates= 0, opt_console= 0, opt_allow_suspicious_udfs;
 my_bool opt_readonly = 0, opt_sync_bdb_logs, opt_sync_frm;
 volatile bool  mqh_used = 0;
@ -3525,7 +3525,7 @@ enum options_mysqld {
  OPT_BDB_MAX_LOCK,
  OPT_ERROR_LOG_FILE,
  OPT_DEFAULT_WEEK_FORMAT,
-  OPT_RANGE_ALLOC_BLOCK_SIZE,
+  OPT_RANGE_ALLOC_BLOCK_SIZE, OPT_ALLOW_SUSPICIOUS_UDFS,
  OPT_QUERY_ALLOC_BLOCK_SIZE, OPT_QUERY_PREALLOC_SIZE,
  OPT_TRANS_ALLOC_BLOCK_SIZE, OPT_TRANS_PREALLOC_SIZE,
  OPT_SYNC_FRM, OPT_BDB_NOSYNC
@ -3538,6 +3538,13 @@ struct my_option my_long_options[] =
 {
  {"ansi", 'a', "Use ANSI SQL syntax instead of MySQL syntax", 0, 0, 0,
   GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
  {"allow-suspicious-udfs", OPT_ALLOW_SUSPICIOUS_UDFS,
   "Allows to use UDF's consisting of only one symbol xxx() "
   "without corresponing xxx_init() or xxx_deinit(). That also means "
   "that one can load any function from any library, for example exit() "
   "from libc.so",
   (gptr*) &opt_allow_suspicious_udfs, (gptr*) &opt_allow_suspicious_udfs,
   0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
  {"basedir", 'b',
   "Path to installation directory. All paths are usually resolved relative to this.",
   (gptr*) &mysql_home_ptr, (gptr*) &mysql_home_ptr, 0, GET_STR, REQUIRED_ARG,
--- a/sql/share/english/errmsg.txt
+++ b/sql/share/english/errmsg.txt
@ -141,7 +141,7 @@
 "No paths allowed for shared library",
 "Function '%-.64s' already exist",
 "Can't open shared library '%-.64s' (errno: %d %-.64s)",
-"Can't find function '%-.64s' in library'",
+"Can't find function '%-.64s' in library",
 "Function '%-.64s' is not defined",
 "Host '%-.64s' is blocked because of many connection errors.  Unblock with 'mysqladmin flush-hosts'",
 "Host '%-.64s' is not allowed to connect to this MySQL server",
--- a/sql/sql_udf.cc
+++ b/sql/sql_udf.cc
@ -73,29 +73,49 @@ static HASH udf_hash;
 static pthread_mutex_t THR_LOCK_udf;
-static udf_func *add_udf(char *name, Item_result ret, char *dl,
+static udf_func *add_udf(char *name, Item_result ret,
-			 Item_udftype typ);
+                         char *dl, Item_udftype typ);
 static void del_udf(udf_func *udf);
 static void *find_udf_dl(const char *dl);
-
+static char *init_syms(udf_func *tmp, char *nm)
 static void init_syms(udf_func *tmp)
 {
-  char nm[MAX_FIELD_NAME+16],*end;
+  char *end;
  if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name))))
    return tmp->name;
  tmp->func = dlsym(tmp->dlhandle, tmp->name);
  end=strmov(nm,tmp->name);
-  (void) strmov(end,"_init");
+
  tmp->func_init = dlsym(tmp->dlhandle, nm);
  (void) strmov(end,"_deinit");
  tmp->func_deinit = dlsym(tmp->dlhandle, nm);
  if (tmp->type == UDFTYPE_AGGREGATE)
  {
    (void)strmov(end, "_reset");
-    tmp->func_reset = dlsym( tmp->dlhandle, nm );
+    if (!((tmp->func_reset= dlsym(tmp->dlhandle, nm))))
      return nm;
    (void)strmov(end, "_add");
-    tmp->func_add = dlsym( tmp->dlhandle, nm );
+    if (!((tmp->func_add= dlsym(tmp->dlhandle, nm))))
      return nm;
  }
  (void) strmov(end,"_deinit");
  tmp->func_deinit= dlsym(tmp->dlhandle, nm);
  (void) strmov(end,"_init");
  tmp->func_init= dlsym(tmp->dlhandle, nm);
  /*
    to prefent loading "udf" from, e.g. libc.so
    let's ensure that at least one auxiliary symbol is defined
  */
  if (!tmp->func_init && !tmp->func_deinit && tmp->type != UDFTYPE_AGGREGATE)
  {
    if (opt_allow_suspicious_udfs)
      sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), nm);
    else
      return nm;
  }
  return 0;
 }
 extern "C" byte* get_hash_key(const byte *buff,uint *length,
@ -107,7 +127,7 @@ extern "C" byte* get_hash_key(const byte *buff,uint *length,
 }
 /*
-** Read all predeclared functions from func@mysql and accept all that
+** Read all predeclared functions from mysql.func and accept all that
 ** can be used.
 */
@ -149,7 +169,7 @@ void udf_init()
  if (open_and_lock_tables(new_thd, &tables))
  {
    DBUG_PRINT("error",("Can't open udf table"));
-    sql_print_error("Can't open the mysql/func table. Please run the mysql_install_db script to create it.");
+    sql_print_error("Can't open the mysql.func table. Please run the mysql_install_db script to create it.");
    goto end;
  }
@ -165,10 +185,22 @@ void udf_init()
    if (table->fields >= 4)			// New func table
      udftype=(Item_udftype) table->field[3]->val_int();
    /*
      Ensure that the .dll doesn't have a path
      This is done to ensure that only approved dll from the system
      directories are used (to make this even remotely secure).
    */
    if (strchr(dl_name, '/') || strlen(name) > NAME_LEN)
    {
      sql_print_error("Invalid row in mysql.func table for function '%.64s'",
                      name);
      continue;
    }
    if (!(tmp = add_udf(name,(Item_result) table->field[1]->val_int(),
 			dl_name, udftype)))
    {
-      sql_print_error("Can't alloc memory for udf function: name");
+      sql_print_error("Can't alloc memory for udf function: '%.64s'", name);
      continue;
    }
@ -186,15 +218,17 @@ void udf_init()
      new_dl=1;
    }
    tmp->dlhandle = dl;
    init_syms(tmp);
    if (!tmp->func)
    {
-      sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), name);
+      char buf[MAX_FIELD_NAME+16], *missing;
      if ((missing= init_syms(tmp, buf)))
      {
        sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing);
        del_udf(tmp);
        if (new_dl)
          dlclose(dl);
      }
    }
  }
  if (error > 0)
    sql_print_error(ER(ER_GET_ERRNO), my_errno);
  end_read_record(&read_record_info);
@ -398,13 +432,15 @@ int mysql_create_function(THD *thd,udf_func *udf)
    new_dl=1;
  }
  udf->dlhandle=dl;
  init_syms(udf);
  if (udf->func == NULL)
  {
-    net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, udf->name);
+    char buf[MAX_FIELD_NAME+16], *missing;
    if ((missing= init_syms(udf, buf)))
    {
      net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, missing);
      goto err;
    }
  }
  udf->name=strdup_root(&mem,udf->name);
  udf->dl=strdup_root(&mem,udf->dl);
  if (!(u_d=add_udf(udf->name,udf->returns,udf->dl,udf->type)))
@ -419,7 +455,7 @@ int mysql_create_function(THD *thd,udf_func *udf)
  u_d->func_reset=udf->func_reset;
  u_d->func_add=udf->func_add;
-  /* create entry in mysql/func table */
+  /* create entry in mysql.func table */
  bzero((char*) &tables,sizeof(tables));
  tables.db= (char*) "mysql";
@ -439,7 +475,7 @@ int mysql_create_function(THD *thd,udf_func *udf)
  close_thread_tables(thd);
  if (error)
  {
-    net_printf(&thd->net, ER_ERROR_ON_WRITE, "func@mysql",error);
+    net_printf(&thd->net, ER_ERROR_ON_WRITE, "mysql.func",error);
    del_udf(u_d);
    goto err;
  }
--- a/sql/table.cc
+++ b/sql/table.cc
@ -1048,6 +1048,10 @@ File create_frm(register my_string name, uint reclength, uchar *fileinfo,
  uint key_length;
  ulong length;
  char fill[IO_SIZE];
  int create_flags= O_RDWR | O_TRUNC;
  if (create_info->options & HA_LEX_CREATE_TMP_TABLE)
    create_flags|= O_EXCL | O_NOFOLLOW;
 #if SIZEOF_OFF_T > 4
  /* Fix this in MySQL 4.0;  The current limit is 4G rows (QQ) */
@ -1062,7 +1066,7 @@ File create_frm(register my_string name, uint reclength, uchar *fileinfo,
  */
  set_if_smaller(create_info->raid_chunks, 255);
-  if ((file=my_create(name,CREATE_MODE,O_RDWR | O_TRUNC,MYF(MY_WME))) >= 0)
+  if ((file= my_create(name, CREATE_MODE, create_flags, MYF(MY_WME))) >= 0)
  {
    bzero((char*) fileinfo,64);
    fileinfo[0]=(uchar) 254; fileinfo[1]= 1; fileinfo[2]= FRM_VER+1; // Header