Bug#26372491 - RCE THROUGH THE MISHANDLE OF BACKSLASH

DESCRIPTION: =========== The bug is related to incorrect parsing of SQL queries when typed in on the CLI. The incorrect parsing can result in unexpected results. ANALYSIS: ======== The scenarios mainly happens for identifier names with a typical combination of backslashes and backticks. The incorrect parsing can either result in executing additional queries or can result in query truncation. This can impact mysqldump as well. FIX: === The fix makes sure that such identifier names are correctly parsed and a proper query is sent to the server for execution.

Bug#26372491 - RCE THROUGH THE MISHANDLE OF BACKSLASH
DESCRIPTION: =========== The bug is related to incorrect parsing of SQL queries when typed in on the CLI. The incorrect parsing can result in unexpected results. ANALYSIS: ======== The scenarios mainly happens for identifier names with a typical combination of backslashes and backticks. The incorrect parsing can either result in executing additional queries or can result in query truncation. This can impact mysqldump as well. FIX: === The fix makes sure that such identifier names are correctly parsed and a proper query is sent to the server for execution.
43632f4c · Anushree Prakash B · 14176f71 · 43632f4c
Commit 43632f4c authored Sep 08, 2017 by Anushree Prakash B
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

client/mysql.cc client/mysql.cc +4 -1

No files found.
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -2119,7 +2119,10 @@ static bool add_line(String &buffer,char *line,char *in_string,
      if (*in_string || inchar == 'N')	// \N is short for NULL
      {					// Don't allow commands in string
 	*out++='\\';
-	*out++= (char) inchar;
+        if ((inchar == '`') && (*in_string == inchar))
+          pos--;
+        else
+	  *out++= (char) inchar;
 	continue;
      }
      if ((com=find_command(NullS,(char) inchar)))