Commit f80a925e authored by Sunanda Menon's avatar Sunanda Menon

------------------------------------------------------------

revno: 2861
committer: Georgi Kodinov <joro@sun.com>
branch nick: B53371-5.0-bugteam
timestamp: Mon 2010-05-03 18:16:51 +0300
message:
  Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
  
  The server was not checking the supplied to COM_FIELD_LIST table name
  for validity and compliance to acceptable table names standards.
  Fixed by checking the table name for compliance similar to how it's 
  normally checked by the parser and returning an error message if 
  it's not compliant.
parent d349029e
...@@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_command command, THD *thd, ...@@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
} }
thd->convert_string(&conv_name, system_charset_info, thd->convert_string(&conv_name, system_charset_info,
packet, arg_length, thd->charset()); packet, arg_length, thd->charset());
if (check_table_name (conv_name.str, conv_name.length))
{
/* this is OK due to convert_string() null-terminating the string */
my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str);
break;
}
table_list.alias= table_list.table_name= conv_name.str; table_list.alias= table_list.table_name= conv_name.str;
packet= pend+1; packet= pend+1;
......
...@@ -16679,6 +16679,47 @@ static void test_bug45010() ...@@ -16679,6 +16679,47 @@ static void test_bug45010()
} }
static void test_bug53371()
{
int rc;
MYSQL_RES *result;
myheader("test_bug53371");
rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1");
myquery(rc);
rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371");
myquery(rc);
rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)");
myquery(rc);
rc= mysql_query(mysql, "CREATE DATABASE bug53371");
myquery(rc);
rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost");
myquery(rc);
rc= mysql_change_user(mysql, "testbug", NULL, "bug53371");
myquery(rc);
rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1");
DIE_UNLESS(rc);
DIE_UNLESS(mysql_errno(mysql) == 1142);
result= mysql_list_fields(mysql, "../client_test_db/t1", NULL);
DIE_IF(result);
rc= mysql_change_user(mysql, opt_user, opt_password, current_db);
myquery(rc);
rc= mysql_query(mysql, "DROP TABLE t1");
myquery(rc);
rc= mysql_query(mysql, "DROP DATABASE bug53371");
myquery(rc);
rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
myquery(rc);
}
/* /*
Read and parse arguments and MySQL options from my.cnf Read and parse arguments and MySQL options from my.cnf
*/ */
...@@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= { ...@@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug41078", test_bug41078 }, { "test_bug41078", test_bug41078 },
{ "test_bug20023", test_bug20023 }, { "test_bug20023", test_bug20023 },
{ "test_bug45010", test_bug45010 }, { "test_bug45010", test_bug45010 },
{ "test_bug53371", test_bug53371 },
{ 0, 0 } { 0, 0 }
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment