-
unknown authored
When the client program had its stdout file descriptor closed by the calling shell, after some amount of work (enough to fill a socket buffer) the server would complain about a packet error and then disconnect the client. This is a serious security problem. If stdout is closed before the mysql is exec()d, then the first socket() call allocates file number 1 to communicate with the server. Subsequent write()s to that file number (as when printing results that come back from the database) go back to the server instead in the command channel. So, one should be able to craft data which, upon being selected back from the server to the client, and injected into the command stream become valid MySQL protocol to do something nasty when sent /back/ to the server. The solution is to close explicitly the file descriptor that we *printf() to, so that the libc layer and the OS layer both agree that the file is closed. BitKeeper/etc/collapsed: BitKeeper file /home/cmiller/work/mysql/bug17583/my41-bug17583/BitKeeper/etc/collapsed client/mysql.cc: If standard output is not open (specifically, if dup() of its file number fails) then we explicitly close it so that future uses of the file descriptor behave correctly for a closed file. mysql-test/r/mysql_client.result: Prove that the problem of writing SQL output to the command socket no longer exists. mysql-test/t/mysql_client.test: Prove that the problem of writing SQL output to the command socket no longer exists.
8af12677