diff options
| author | Anushree Prakash B <anushree.prakash.b@oracle.com> | 2017-09-08 18:29:07 +0530 |
|---|---|---|
| committer | Nawaz Nazeer Ahamed <nawaz.nazeer.ahamed@oracle.com> | 2017-09-13 20:44:55 +0530 |
| commit | 5ac61b2af0cf37eeed5050a91819d6d273f037a5 (patch) | |
| tree | a24463adbfbc85f8bf87c4fa1066a39f79998409 /client | |
| parent | f7316aa0c9a3909fc7498e7b95d5d3af044a7e21 (diff) | |
| download | mariadb-git-5ac61b2af0cf37eeed5050a91819d6d273f037a5.tar.gz | |
Bug#26372491 - RCE THROUGH THE MISHANDLE OF BACKSLASH
DESCRIPTION:
===========
The bug is related to incorrect parsing of SQL queries
when typed in on the CLI. The incorrect parsing can
result in unexpected results.
ANALYSIS:
========
The scenarios mainly happens for identifier names
with a typical combination of backslashes and backticks.
The incorrect parsing can either result in executing
additional queries or can result in query truncation.
This can impact mysqldump as well.
FIX:
===
The fix makes sure that such identifier names are
correctly parsed and a proper query is sent to the
server for execution.
(cherry picked from commit 31a372aa1c2b93dc75267d1f05a7f7fca6080dc0)
Diffstat (limited to 'client')
| -rw-r--r-- | client/mysql.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/client/mysql.cc b/client/mysql.cc index d09499c120a..715d74f18b2 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -2119,7 +2119,10 @@ static bool add_line(String &buffer,char *line,char *in_string, if (*in_string || inchar == 'N') // \N is short for NULL { // Don't allow commands in string *out++='\\'; - *out++= (char) inchar; + if ((inchar == '`') && (*in_string == inchar)) + pos--; + else + *out++= (char) inchar; continue; } if ((com=find_command(NullS,(char) inchar))) |