Commit f41419a8 authored by Georgi Kodinov's avatar Georgi Kodinov

Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.

The server was not checking the supplied to COM_FIELD_LIST table name
for validity and compliance to acceptable table names standards.
Fixed by checking the table name for compliance similar to how it's 
normally checked by the parser and returning an error message if 
it's not compliant.
parent 4f02e2f3
...@@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_command command, THD *thd, ...@@ -2042,6 +2042,13 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
} }
thd->convert_string(&conv_name, system_charset_info, thd->convert_string(&conv_name, system_charset_info,
packet, arg_length, thd->charset()); packet, arg_length, thd->charset());
if (check_table_name (conv_name.str, conv_name.length))
{
/* this is OK due to convert_string() null-terminating the string */
my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str);
break;
}
table_list.alias= table_list.table_name= conv_name.str; table_list.alias= table_list.table_name= conv_name.str;
packet= pend+1; packet= pend+1;
......
...@@ -16679,6 +16679,47 @@ static void test_bug45010() ...@@ -16679,6 +16679,47 @@ static void test_bug45010()
} }
static void test_bug53371()
{
int rc;
MYSQL_RES *result;
myheader("test_bug53371");
rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1");
myquery(rc);
rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371");
myquery(rc);
rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)");
myquery(rc);
rc= mysql_query(mysql, "CREATE DATABASE bug53371");
myquery(rc);
rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost");
myquery(rc);
rc= mysql_change_user(mysql, "testbug", NULL, "bug53371");
myquery(rc);
rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1");
DIE_UNLESS(rc);
DIE_UNLESS(mysql_errno(mysql) == 1142);
result= mysql_list_fields(mysql, "../client_test_db/t1", NULL);
DIE_IF(result);
rc= mysql_change_user(mysql, opt_user, opt_password, current_db);
myquery(rc);
rc= mysql_query(mysql, "DROP TABLE t1");
myquery(rc);
rc= mysql_query(mysql, "DROP DATABASE bug53371");
myquery(rc);
rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
myquery(rc);
}
/* /*
Read and parse arguments and MySQL options from my.cnf Read and parse arguments and MySQL options from my.cnf
*/ */
...@@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= { ...@@ -16982,6 +17023,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug41078", test_bug41078 }, { "test_bug41078", test_bug41078 },
{ "test_bug20023", test_bug20023 }, { "test_bug20023", test_bug20023 },
{ "test_bug45010", test_bug45010 }, { "test_bug45010", test_bug45010 },
{ "test_bug53371", test_bug53371 },
{ 0, 0 } { 0, 0 }
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment