Merged 5.0-security->5.1-security

98b0b5eb · Georgi Kodinov · 9fd95b1f · aa30a77d · 98b0b5eb · 98b0b5eb
Commit 98b0b5eb authored May 04, 2011 by Georgi Kodinov
6 changed files
--- a/mysql-test/r/secure_file_priv_win.result
+++ b/mysql-test/r/secure_file_priv_win.result
+CREATE TABLE t1 (c1 longtext);
+INSERT INTO t1 values ('a');
+SELECT * FROM t1 INTO OUTFILE 'd:/mysql/work/test-5.0-security/mysql-test/var/tmp/B11764517.tmp';
+show global variables like 'secure_file_priv';
+Variable_name	Value
+secure_file_priv	MYSQL_TMP_DIR/
+SELECT load_file('MYSQL_TMP_DIR\\B11764517.tmp') AS x;
+x
+a
+
+SELECT load_file('MYSQL_TMP_DIR/B11764517.tmp') AS x;
+x
+a
+
+SELECT load_file('MYSQL_TMP_DIR_UCASE/B11764517.tmp') AS x;
+x
+a
+
+SELECT load_file('MYSQL_TMP_DIR_LCASE/B11764517.tmp') AS x;
+x
+a
+
+SELECT load_file('MYSQL_TMP_DIR\\..a..\\..\\..\\B11764517.tmp') AS x;
+x
+NULL
+LOAD DATA INFILE 'MYSQL_TMP_DIR\\B11764517.tmp' INTO TABLE t1;
+LOAD DATA INFILE 'MYSQL_TMP_DIR/B11764517.tmp' INTO TABLE t1;
+LOAD DATA INFILE 'MYSQL_TMP_DIR_UCASE/B11764517.tmp' INTO TABLE t1;
+LOAD DATA INFILE 'MYSQL_TMP_DIR_LCASE/B11764517.tmp' INTO TABLE t1;
+LOAD DATA INFILE "MYSQL_TMP_DIR\\..a..\\..\\..\\B11764517.tmp" into table t1;
+ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
+SELECT * FROM t1 INTO OUTFILE 'MYSQL_TMP_DIR\\..a..\\..\\..\\B11764517-2.tmp';
+ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
+SELECT * FROM t1 INTO OUTFILE 'MYSQL_TMP_DIR\\B11764517-2.tmp';
+SELECT * FROM t1 INTO OUTFILE 'MYSQL_TMP_DIR/B11764517-3.tmp';
+SELECT * FROM t1 INTO OUTFILE 'MYSQL_TMP_DIR_UCASE/B11764517-4.tmp';
+SELECT * FROM t1 INTO OUTFILE 'MYSQL_TMP_DIR_LCASE/B11764517-5.tmp';
+DROP TABLE t1;
--- a/mysql-test/t/secure_file_priv_win-master.opt
+++ b/mysql-test/t/secure_file_priv_win-master.opt
+--secure_file_priv=$MYSQL_TMP_DIR
--- a/mysql-test/t/secure_file_priv_win.test
+++ b/mysql-test/t/secure_file_priv_win.test
+#
+# Bug58747 breaks secure_file_priv+not secure yet+still accesses other folders
+#
+
+# we do the windows specific relative directory testing
+
+--source include/windows.inc
+
+CREATE TABLE t1 (c1 longtext);
+INSERT INTO t1 values ('a');
+
+LET $MYSQL_TMP_DIR_UCASE= `SELECT upper('$MYSQL_TMP_DIR')`;
+LET $MYSQL_TMP_DIR_LCASE= `SELECT lower('$MYSQL_TMP_DIR')`;
+
+#create the file
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval SELECT * FROM t1 INTO OUTFILE '$MYSQL_TMP_DIR_LCASE/B11764517.tmp';
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+show global variables like 'secure_file_priv';
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval SELECT load_file('$MYSQL_TMP_DIR\\\\B11764517.tmp') AS x;
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval SELECT load_file('$MYSQL_TMP_DIR/B11764517.tmp') AS x;
+
+--replace_result $MYSQL_TMP_DIR_UCASE MYSQL_TMP_DIR_UCASE
+eval SELECT load_file('$MYSQL_TMP_DIR_UCASE/B11764517.tmp') AS x;
+
+--replace_result $MYSQL_TMP_DIR_LCASE MYSQL_TMP_DIR_LCASE
+eval SELECT load_file('$MYSQL_TMP_DIR_LCASE/B11764517.tmp') AS x;
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval SELECT load_file('$MYSQL_TMP_DIR\\\\..a..\\\\..\\\\..\\\\B11764517.tmp') AS x;
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval LOAD DATA INFILE '$MYSQL_TMP_DIR\\\\B11764517.tmp' INTO TABLE t1;
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval LOAD DATA INFILE '$MYSQL_TMP_DIR/B11764517.tmp' INTO TABLE t1;
+
+--replace_result $MYSQL_TMP_DIR_UCASE MYSQL_TMP_DIR_UCASE
+eval LOAD DATA INFILE '$MYSQL_TMP_DIR_UCASE/B11764517.tmp' INTO TABLE t1;
+
+--replace_result $MYSQL_TMP_DIR_LCASE MYSQL_TMP_DIR_LCASE
+eval LOAD DATA INFILE '$MYSQL_TMP_DIR_LCASE/B11764517.tmp' INTO TABLE t1;
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--error ER_OPTION_PREVENTS_STATEMENT
+eval LOAD DATA INFILE "$MYSQL_TMP_DIR\\\\..a..\\\\..\\\\..\\\\B11764517.tmp" into table t1;
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--error ER_OPTION_PREVENTS_STATEMENT
+eval SELECT * FROM t1 INTO OUTFILE '$MYSQL_TMP_DIR\\\\..a..\\\\..\\\\..\\\\B11764517-2.tmp';
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval SELECT * FROM t1 INTO OUTFILE '$MYSQL_TMP_DIR\\\\B11764517-2.tmp';
+
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+eval SELECT * FROM t1 INTO OUTFILE '$MYSQL_TMP_DIR/B11764517-3.tmp';
+
+--replace_result $MYSQL_TMP_DIR_UCASE MYSQL_TMP_DIR_UCASE
+eval SELECT * FROM t1 INTO OUTFILE '$MYSQL_TMP_DIR_UCASE/B11764517-4.tmp';
+
+--replace_result $MYSQL_TMP_DIR_LCASE MYSQL_TMP_DIR_LCASE
+eval SELECT * FROM t1 INTO OUTFILE '$MYSQL_TMP_DIR_LCASE/B11764517-5.tmp';
+
+--error 0,1
+--remove_file $MYSQL_TMP_DIR/B11764517.tmp;
+--error 0,1
+--remove_file $MYSQL_TMP_DIR/B11764517-2.tmp;
+--error 0,1
+--remove_file $MYSQL_TMP_DIR/B11764517-3.tmp;
+--error 0,1
+--remove_file $MYSQL_TMP_DIR/B11764517-4.tmp;
+--error 0,1
+--remove_file $MYSQL_TMP_DIR/B11764517-5.tmp;
+DROP TABLE t1;
--- a/mysys/my_symlink.c
+++ b/mysys/my_symlink.c
@@ -144,24 +144,23 @@ int my_realpath(char *to, const char *filename, myf MyFlags)
    result= -1;
  }
  DBUG_RETURN(result);
-#else
-#ifdef _WIN32
-  int ret= GetFullPathName(filename,FN_REFLEN,
-                           to,
-                           NULL);
+#elif defined(_WIN32)
+  int ret= GetFullPathName(filename,FN_REFLEN, to, NULL);
  if (ret == 0 || ret > FN_REFLEN)
  {
-    if (ret > FN_REFLEN)
-      my_errno= ENAMETOOLONG;
-    else
-      my_errno= EACCES;
+    my_errno= (ret > FN_REFLEN) ? ENAMETOOLONG : GetLastError();
    if (MyFlags & MY_WME)
      my_error(EE_REALPATH, MYF(0), filename, my_errno);
-	  return -1;
+    /* 
+      GetFullPathName didn't work : use my_load_path() which is a poor 
+      substitute original name but will at least be able to resolve 
+      paths that starts with '.'.
+    */  
+    my_load_path(to, filename, NullS);
+    return -1;
  }
 #else
  my_load_path(to, filename, NullS);
 #endif
  return 0;
-#endif
 }
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -8961,12 +8961,15 @@ fn_format_relative_to_data_home(char * to, const char *name,
 bool is_secure_file_path(char *path)
 {
  char buff1[FN_REFLEN], buff2[FN_REFLEN];
+  size_t opt_secure_file_priv_len;
  /*
    All paths are secure if opt_secure_file_path is 0
  */
  if (!opt_secure_file_priv)
    return TRUE;

+  opt_secure_file_priv_len= strlen(opt_secure_file_priv);
+
  if (strlen(path) >= FN_REFLEN)
    return FALSE;

@@ -8984,11 +8987,24 @@ bool is_secure_file_path(char *path)
      return FALSE;
  }
  convert_dirname(buff2, buff1, NullS);
-  if (strncmp(opt_secure_file_priv, buff2, strlen(opt_secure_file_priv)))
-    return FALSE;
+  if (!lower_case_file_system)
+  {
+    if (strncmp(opt_secure_file_priv, buff2, opt_secure_file_priv_len))
+      return FALSE;
+  }
+  else
+  {
+    if (files_charset_info->coll->strnncoll(files_charset_info,
+                                            (uchar *) buff2, strlen(buff2),
+                                            (uchar *) opt_secure_file_priv,
+                                            opt_secure_file_priv_len,
+                                            TRUE))
+      return FALSE;
+  }
  return TRUE;
 }

+
 static int fix_paths(void)
 {
  char buff[FN_REFLEN],*pos;

--- a/sql/sql_load.cc
+++ b/sql/sql_load.cc
@@ -348,21 +348,21 @@ int mysql_load(THD *thd,sql_exchange *ex,TABLE_LIST *table_list,

 #if !defined(__WIN__) && ! defined(__NETWARE__)
    MY_STAT stat_info;
-    if (!my_stat(name,&stat_info,MYF(MY_WME)))
-	    DBUG_RETURN(TRUE);
+    if (!my_stat(name, &stat_info, MYF(MY_WME)))
+      DBUG_RETURN(TRUE);

    // if we are not in slave thread, the file must be:
    if (!thd->slave_thread &&
-	      !((stat_info.st_mode & S_IROTH) == S_IROTH &&  // readable by others
-	        (stat_info.st_mode & S_IFLNK) != S_IFLNK && // and not a symlink
-	        ((stat_info.st_mode & S_IFREG) == S_IFREG ||
-	         (stat_info.st_mode & S_IFIFO) == S_IFIFO)))
+        !((stat_info.st_mode & S_IROTH) == S_IROTH &&  // readable by others
+          (stat_info.st_mode & S_IFLNK) != S_IFLNK &&  // and not a symlink
+          ((stat_info.st_mode & S_IFREG) == S_IFREG || // and a regular file
+           (stat_info.st_mode & S_IFIFO) == S_IFIFO))) // or FIFO
    {
-	    my_error(ER_TEXTFILE_NOT_READABLE, MYF(0), name);
-	    DBUG_RETURN(TRUE);
+      my_error(ER_TEXTFILE_NOT_READABLE, MYF(0), name);
+      DBUG_RETURN(TRUE);
    }
    if ((stat_info.st_mode & S_IFIFO) == S_IFIFO)
-	    is_fifo = 1;
+      is_fifo= 1;
 #endif

    if ((file=my_open(name,O_RDONLY,MYF(MY_WME))) < 0)