Bug#26372491 - RCE THROUGH THE MISHANDLE OF BACKSLASH

DESCRIPTION: =========== The bug is related to incorrect parsing of SQL queries when typed in on the CLI. The incorrect parsing can result in unexpected results. ANALYSIS: ======== The scenarios mainly happens for identifier names with a typical combination of backslashes and backticks. The incorrect parsing can either result in executing additional queries or can result in query truncation. This can impact mysqldump as well. FIX: === The fix makes sure that such identifier names are correctly parsed and a proper query is sent to the server for execution.
author: Anushree Prakash B <anushree.prakash.b@oracle.com> 2017-09-08 18:29:07 +0530
committer: Anushree Prakash B <anushree.prakash.b@oracle.com> 2017-09-08 18:29:07 +0530
commit: 43632f4cd5f3fc7aaa9a0aa757081725f120c488 (patch)
tree: 87ad2ae92a4e0392a277573e62082d86879a9200
parent: 14176f71472c08bcfb613c25b305e2c0b1d786cb (diff)
download: mariadb-git-43632f4cd5f3fc7aaa9a0aa757081725f120c488.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/client/mysql.cc b/client/mysql.cc
index d09499c120a..715d74f18b2 100644
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -2119,7 +2119,10 @@ static bool add_line(String &buffer,char *line,char *in_string,
       if (*in_string || inchar == 'N')	// \N is short for NULL
       {					// Don't allow commands in string
 	*out++='\\';
-	*out++= (char) inchar;
+        if ((inchar == '`') && (*in_string == inchar))
+          pos--;
+        else
+	  *out++= (char) inchar;
 	continue;
       }
       if ((com=find_command(NullS,(char) inchar)))
author	Anushree Prakash B <anushree.prakash.b@oracle.com>	2017-09-08 18:29:07 +0530
committer	Anushree Prakash B <anushree.prakash.b@oracle.com>	2017-09-08 18:29:07 +0530
commit	43632f4cd5f3fc7aaa9a0aa757081725f120c488 (patch)
tree	87ad2ae92a4e0392a277573e62082d86879a9200
parent	14176f71472c08bcfb613c25b305e2c0b1d786cb (diff)
download	mariadb-git-43632f4cd5f3fc7aaa9a0aa757081725f120c488.tar.gz