Commit ade1c74b authored by 's avatar

BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave

Backport to 5.0.

/*![:version:] Query Code */, where [:version:] is a sequence of 5 
digits representing the mysql server version(e.g /*!50200 ... */),
is a special comment that the query in it can be executed on those 
servers whose versions are larger than the version appearing in the 
comment. It leads to a security issue when slave's version is larger 
than master's. A malicious user can improve his privileges on slaves. 
Because slave SQL thread is running with SUPER privileges, so it can
execute queries that he/she does not have privileges on master.
      
This bug is fixed with the logic below: 
- To replace '!' with ' ' in the magic comments which are not applied on
  master. So they become common comments and will not be applied on slave.
      
- Example:
  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
   will be binlogged as
  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
parent 0355456d
stop slave;
drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
reset master;
reset slave;
drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
start slave;
CREATE TABLE t1(c1 INT);
show binlog events from <binlog_start>;
Log_name Pos Event_type Server_id End_log_pos Info
master-bin.000001 # Query # # use `test`; CREATE TABLE t1(c1 INT)
# Case 1:
# ------------------------------------------------------------------
# In a statement, some CCs are applied while others are not. The CCs
# which are not applied on master will be binlogged as common comments.
/*!99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /*!99999 ,(11)*/;
show binlog events from <binlog_start>;
Log_name Pos Event_type Server_id End_log_pos Info
master-bin.000001 # Query # # use `test`; /* 99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /* 99999 ,(11)*/
Comparing tables master:test.t1 and slave:test.t1
# Case 2:
# -----------------------------------------------------------------
# Verify whether it can be binlogged correctly when executing prepared
# statement.
PREPARE stmt FROM 'INSERT INTO /*!99999 blabla*/ t1 VALUES(60) /*!99999 ,(61)*/';
EXECUTE stmt;
DROP TABLE t1;
CREATE TABLE t1(c1 INT);
EXECUTE stmt;
Comparing tables master:test.t1 and slave:test.t1
SET @value=62;
PREPARE stmt FROM 'INSERT INTO /*!99999 blabla */ t1 VALUES(?) /*!99999 ,(63)*/';
EXECUTE stmt USING @value;
DROP TABLE t1;
CREATE TABLE t1(c1 INT);
EXECUTE stmt USING @value;
show binlog events from <binlog_start>;
Log_name Pos Event_type Server_id End_log_pos Info
master-bin.000001 # Query # # use `test`; INSERT INTO /* 99999 blabla*/ t1 VALUES(60) /* 99999 ,(61)*/
master-bin.000001 # Query # # use `test`; DROP TABLE t1
master-bin.000001 # Query # # use `test`; CREATE TABLE t1(c1 INT)
master-bin.000001 # Query # # use `test`; INSERT INTO /* 99999 blabla*/ t1 VALUES(60) /* 99999 ,(61)*/
master-bin.000001 # Query # # use `test`; INSERT INTO /* 99999 blabla */ t1 VALUES(62) /* 99999 ,(63)*/
master-bin.000001 # Query # # use `test`; DROP TABLE t1
master-bin.000001 # Query # # use `test`; CREATE TABLE t1(c1 INT)
master-bin.000001 # Query # # use `test`; INSERT INTO /* 99999 blabla */ t1 VALUES(62) /* 99999 ,(63)*/
Comparing tables master:test.t1 and slave:test.t1
# Case 3:
# -----------------------------------------------------------------
# Verify it can restore the '!', if the it is an uncomplete conditional
# comments
SELECT c1 FROM /*!99999 t1 WHEREN;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*!99999 t1 WHEREN' at line 1
DROP TABLE t1;
###############################################################################
# After the patch for BUG#49124:
# - Use ' ' instead of '!' in the conditional comments which are not applied on
# master. So they become common comments and will not be applied on slave.
#
# - Example:
# 'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
# will be binlogged as
# 'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/'.
###############################################################################
source include/master-slave.inc;
CREATE TABLE t1(c1 INT);
source include/show_binlog_events.inc;
let $binlog_start= query_get_value(SHOW MASTER STATUS, Position, 1);
--echo
--echo # Case 1:
--echo # ------------------------------------------------------------------
--echo # In a statement, some CCs are applied while others are not. The CCs
--echo # which are not applied on master will be binlogged as common comments.
/*!99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /*!99999 ,(11)*/;
source include/show_binlog_events.inc;
let $binlog_start= query_get_value(SHOW MASTER STATUS, Position, 1);
sync_slave_with_master;
let $diff_table_1=master:test.t1;
let $diff_table_2=slave:test.t1;
source include/diff_tables.inc;
--echo
--echo # Case 2:
--echo # -----------------------------------------------------------------
--echo # Verify whether it can be binlogged correctly when executing prepared
--echo # statement.
PREPARE stmt FROM 'INSERT INTO /*!99999 blabla*/ t1 VALUES(60) /*!99999 ,(61)*/';
EXECUTE stmt;
DROP TABLE t1;
CREATE TABLE t1(c1 INT);
EXECUTE stmt;
sync_slave_with_master;
let $diff_table_1=master:test.t1;
let $diff_table_2=slave:test.t1;
source include/diff_tables.inc;
--echo
SET @value=62;
PREPARE stmt FROM 'INSERT INTO /*!99999 blabla */ t1 VALUES(?) /*!99999 ,(63)*/';
EXECUTE stmt USING @value;
DROP TABLE t1;
CREATE TABLE t1(c1 INT);
EXECUTE stmt USING @value;
source include/show_binlog_events.inc;
let $binlog_start= query_get_value(SHOW MASTER STATUS, Position, 1);
sync_slave_with_master;
let $diff_table_1=master:test.t1;
let $diff_table_2=slave:test.t1;
source include/diff_tables.inc;
--echo
--echo # Case 3:
--echo # -----------------------------------------------------------------
--echo # Verify it can restore the '!', if the it is an uncomplete conditional
--echo # comments
--error 1064
SELECT c1 FROM /*!99999 t1 WHEREN;
DROP TABLE t1;
source include/master-slave-end.inc;
...@@ -751,7 +751,7 @@ bool do_rename(THD *thd, TABLE_LIST *ren_table, char *new_db, ...@@ -751,7 +751,7 @@ bool do_rename(THD *thd, TABLE_LIST *ren_table, char *new_db,
bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name,
bool force_switch); bool force_switch);
void mysql_parse(THD *thd, const char *inBuf, uint length, void mysql_parse(THD *thd, char *rawbuf, uint length,
const char ** semicolon); const char ** semicolon);
bool mysql_test_parse_for_slave(THD *thd,char *inBuf,uint length); bool mysql_test_parse_for_slave(THD *thd,char *inBuf,uint length);
......
...@@ -109,7 +109,7 @@ st_parsing_options::reset() ...@@ -109,7 +109,7 @@ st_parsing_options::reset()
} }
Lex_input_stream::Lex_input_stream(THD *thd, Lex_input_stream::Lex_input_stream(THD *thd,
const char* buffer, char* buffer,
unsigned int length) unsigned int length)
: m_thd(thd), : m_thd(thd),
yylineno(1), yylineno(1),
...@@ -580,7 +580,7 @@ int MYSQLlex(void *arg, void *yythd) ...@@ -580,7 +580,7 @@ int MYSQLlex(void *arg, void *yythd)
state=MY_LEX_COMMENT; state=MY_LEX_COMMENT;
break; break;
} }
yylval->lex_str.str=(char*) (lip->ptr=lip->tok_start);// Set to first chr yylval->lex_str.str=lip->ptr=(char*)lip->tok_start;// Set to first chr
yylval->lex_str.length=1; yylval->lex_str.length=1;
c=yyGet(); c=yyGet();
if (c != ')') if (c != ')')
...@@ -946,6 +946,9 @@ int MYSQLlex(void *arg, void *yythd) ...@@ -946,6 +946,9 @@ int MYSQLlex(void *arg, void *yythd)
state = MY_LEX_START; // Try again state = MY_LEX_START; // Try again
break; break;
case MY_LEX_LONG_COMMENT: /* Long C comment? */ case MY_LEX_LONG_COMMENT: /* Long C comment? */
{
char *version_mark= NULL;
if (yyPeek() != '*') if (yyPeek() != '*')
{ {
state=MY_LEX_CHAR; // Probable division state=MY_LEX_CHAR; // Probable division
...@@ -956,6 +959,8 @@ int MYSQLlex(void *arg, void *yythd) ...@@ -956,6 +959,8 @@ int MYSQLlex(void *arg, void *yythd)
if (yyPeek() == '!') // MySQL command in comment if (yyPeek() == '!') // MySQL command in comment
{ {
ulong version=MYSQL_VERSION_ID; ulong version=MYSQL_VERSION_ID;
version_mark= lip->ptr;
yySkip(); yySkip();
state=MY_LEX_START; state=MY_LEX_START;
if (my_isdigit(cs,yyPeek())) if (my_isdigit(cs,yyPeek()))
...@@ -965,8 +970,17 @@ int MYSQLlex(void *arg, void *yythd) ...@@ -965,8 +970,17 @@ int MYSQLlex(void *arg, void *yythd)
if (version <= MYSQL_VERSION_ID) if (version <= MYSQL_VERSION_ID)
{ {
lex->in_comment=1; lex->in_comment=1;
version_mark= NULL;
break; break;
} }
else
{
/*
Patch and skip the conditional comment to avoid it
being propagated infinitely (eg. to a slave).
*/
*version_mark= ' ';
}
} }
/* /*
Discard: Discard:
...@@ -995,8 +1009,13 @@ int MYSQLlex(void *arg, void *yythd) ...@@ -995,8 +1009,13 @@ int MYSQLlex(void *arg, void *yythd)
} }
/* Unbalanced comments with a missing '*' '/' are a syntax error */ /* Unbalanced comments with a missing '*' '/' are a syntax error */
if (! comment_closed) if (! comment_closed)
{
if (version_mark != NULL)
*version_mark= '!';
return (ABORT_SYM); return (ABORT_SYM);
}
break; break;
}
case MY_LEX_END_LONG_COMMENT: case MY_LEX_END_LONG_COMMENT:
if (lex->in_comment && yyPeek() == '/') if (lex->in_comment && yyPeek() == '/')
{ {
......
...@@ -935,7 +935,7 @@ struct st_parsing_options ...@@ -935,7 +935,7 @@ struct st_parsing_options
class Lex_input_stream class Lex_input_stream
{ {
public: public:
Lex_input_stream(THD *thd, const char* buff, unsigned int length); Lex_input_stream(THD *thd, char* buff, unsigned int length);
~Lex_input_stream(); ~Lex_input_stream();
/** Current thread. */ /** Current thread. */
...@@ -951,7 +951,7 @@ class Lex_input_stream ...@@ -951,7 +951,7 @@ class Lex_input_stream
LEX_YYSTYPE yylval; LEX_YYSTYPE yylval;
/** Pointer to the current position in the input stream. */ /** Pointer to the current position in the input stream. */
const char* ptr; char* ptr;
/** Starting position of the last token parsed. */ /** Starting position of the last token parsed. */
const char* tok_start; const char* tok_start;
...@@ -966,7 +966,7 @@ class Lex_input_stream ...@@ -966,7 +966,7 @@ class Lex_input_stream
const char* tok_start_prev; const char* tok_start_prev;
/** Begining of the query text in the input stream. */ /** Begining of the query text in the input stream. */
const char* buf; char* buf;
/** Current state of the lexical analyser. */ /** Current state of the lexical analyser. */
enum my_lex_states next_state; enum my_lex_states next_state;
...@@ -1355,7 +1355,7 @@ class Yacc_state ...@@ -1355,7 +1355,7 @@ class Yacc_state
class Parser_state class Parser_state
{ {
public: public:
Parser_state(THD *thd, const char* buff, unsigned int length) Parser_state(THD *thd, char* buff, unsigned int length)
: m_lip(thd, buff, length), m_yacc() : m_lip(thd, buff, length), m_yacc()
{} {}
......
...@@ -6414,13 +6414,13 @@ void mysql_init_multi_delete(LEX *lex) ...@@ -6414,13 +6414,13 @@ void mysql_init_multi_delete(LEX *lex)
/** /**
Parse a query. Parse a query.
@param thd Current thread @param thd Current thread
@param inBuf Begining of the query text @param rawbuf Begining of the query text
@param length Length of the query text @param length Length of the query text
@param [out] semicolon For multi queries, position of the character of @param [out] semicolon For multi queries, position of the character of
the next query in the query text. the next query in the query text.
*/ */
void mysql_parse(THD *thd, const char *inBuf, uint length, void mysql_parse(THD *thd, char *rawbuf, uint length,
const char ** found_semicolon) const char ** found_semicolon)
{ {
DBUG_ENTER("mysql_parse"); DBUG_ENTER("mysql_parse");
...@@ -6446,14 +6446,14 @@ void mysql_parse(THD *thd, const char *inBuf, uint length, ...@@ -6446,14 +6446,14 @@ void mysql_parse(THD *thd, const char *inBuf, uint length,
lex_start(thd); lex_start(thd);
mysql_reset_thd_for_next_command(thd); mysql_reset_thd_for_next_command(thd);
if (query_cache_send_result_to_client(thd, (char*) inBuf, length) <= 0) if (query_cache_send_result_to_client(thd, rawbuf, length) <= 0)
{ {
LEX *lex= thd->lex; LEX *lex= thd->lex;
sp_cache_flush_obsolete(&thd->sp_proc_cache); sp_cache_flush_obsolete(&thd->sp_proc_cache);
sp_cache_flush_obsolete(&thd->sp_func_cache); sp_cache_flush_obsolete(&thd->sp_func_cache);
Parser_state parser_state(thd, inBuf, length); Parser_state parser_state(thd, rawbuf, length);
thd->m_parser_state= &parser_state; thd->m_parser_state= &parser_state;
int err= MYSQLparse(thd); int err= MYSQLparse(thd);
...@@ -6538,13 +6538,13 @@ void mysql_parse(THD *thd, const char *inBuf, uint length, ...@@ -6538,13 +6538,13 @@ void mysql_parse(THD *thd, const char *inBuf, uint length,
1 can be ignored 1 can be ignored
*/ */
bool mysql_test_parse_for_slave(THD *thd, char *inBuf, uint length) bool mysql_test_parse_for_slave(THD *thd, char *rawbuf, uint length)
{ {
LEX *lex= thd->lex; LEX *lex= thd->lex;
bool error= 0; bool error= 0;
DBUG_ENTER("mysql_test_parse_for_slave"); DBUG_ENTER("mysql_test_parse_for_slave");
Parser_state parser_state(thd, inBuf, length); Parser_state parser_state(thd, rawbuf, length);
thd->m_parser_state= &parser_state; thd->m_parser_state= &parser_state;
lex_start(thd); lex_start(thd);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment