summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnushree Prakash B <anushree.prakash.b@oracle.com>2017-09-08 18:29:07 +0530
committerNawaz Nazeer Ahamed <nawaz.nazeer.ahamed@oracle.com>2017-09-13 20:44:55 +0530
commit5ac61b2af0cf37eeed5050a91819d6d273f037a5 (patch)
treea24463adbfbc85f8bf87c4fa1066a39f79998409
parentf7316aa0c9a3909fc7498e7b95d5d3af044a7e21 (diff)
downloadmariadb-git-5ac61b2af0cf37eeed5050a91819d6d273f037a5.tar.gz
Bug#26372491 - RCE THROUGH THE MISHANDLE OF BACKSLASH
DESCRIPTION: =========== The bug is related to incorrect parsing of SQL queries when typed in on the CLI. The incorrect parsing can result in unexpected results. ANALYSIS: ======== The scenarios mainly happens for identifier names with a typical combination of backslashes and backticks. The incorrect parsing can either result in executing additional queries or can result in query truncation. This can impact mysqldump as well. FIX: === The fix makes sure that such identifier names are correctly parsed and a proper query is sent to the server for execution. (cherry picked from commit 31a372aa1c2b93dc75267d1f05a7f7fca6080dc0)
Diffstat
-rw-r--r--client/mysql.cc5
1 files changed, 4 insertions, 1 deletions
diff --git a/client/mysql.cc b/client/mysql.cc
index d09499c120a..715d74f18b2 100644
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -2119,7 +2119,10 @@ static bool add_line(String &buffer,char *line,char *in_string,
if (*in_string || inchar == 'N') // \N is short for NULL
{ // Don't allow commands in string
*out++='\\';
- *out++= (char) inchar;
+ if ((inchar == '`') && (*in_string == inchar))
+ pos--;
+ else
+ *out++= (char) inchar;
continue;
}
if ((com=find_command(NullS,(char) inchar)))
View Lorry Controller Status