BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave

/*![:version:] Query Code */, where [:version:] is a sequence of 5 digits representing the mysql server version(e.g /*!50200 ... */), is a special comment that the query in it can be executed on those servers whose versions are larger than the version appearing in the comment. It leads to a security issue when slave's version is larger than master's. A malicious user can improve his privileges on slaves. Because slave SQL thread is running with SUPER privileges, so it can execute queries that he/she does not have privileges on master. This bug is fixed with the logic below: - To replace '!' with ' ' in the magic comments which are not applied on master. So they become common comments and will not be applied on slave. - Example: 'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/ will be binlogged as 'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/ mysql-test/suite/rpl/t/rpl_conditional_comments.test: Test the patch for this bug. sql/mysql_priv.h: Rename inBuf as rawBuf and remove the const limitation. sql/sql_lex.cc: To replace '!' with ' ' in the magic comments which are not applied on master. sql/sql_lex.h: Remove the const limitation on parameter buff, as it can be modified in the function since this patch. Add member function yyUnput for Lex_input_stream. It set a character back the query buff. sql/sql_parse.cc: Rename inBuf as rawBuf and remove the const limitation. sql/sql_partition.cc: Remove the const limitation on parameter part_buff, as it can be modified in the function since this patch. sql/sql_partition.h: Remove the const limitation on parameter part_buff, as it can be modified in the function since this patch. sql/table.h: Remove the const limitation on variable partition_info, as it can be modified since this patch.
author: unknown <Li-Bing.Song@sun.com> 2010-07-29 11:00:57 +0800
committer: unknown <Li-Bing.Song@sun.com> 2010-07-29 11:00:57 +0800
commit: 2124538d9cea1cea39b01f0b8b99052b36004fb9 (patch)
tree: 49835843b47b50726e5c3eb2fde225851827a677 /mysql-test/suite/rpl/r/rpl_conditional_comments.result
parent: 2529ee72ec1af6d27a4f1dc5db2c4f2f001b6120 (diff)
download: mariadb-git-2124538d9cea1cea39b01f0b8b99052b36004fb9.tar.gz
1 files changed, 57 insertions, 0 deletions
diff --git a/mysql-test/suite/rpl/r/rpl_conditional_comments.result b/mysql-test/suite/rpl/r/rpl_conditional_comments.result
new file mode 100644
index 00000000000..105d3bc59f3
--- /dev/null
+++ b/mysql-test/suite/rpl/r/rpl_conditional_comments.result
@@ -0,0 +1,57 @@
+stop slave;
+drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
+reset master;
+reset slave;
+drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9;
+start slave;
+CREATE TABLE t1(c1 INT);
+show binlog events from <binlog_start>;
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+master-bin.000001	#	Query	#	#	use `test`; CREATE TABLE t1(c1 INT)
+
+# Case 1:
+# ------------------------------------------------------------------
+# In a statement, some CCs are applied while others are not. The CCs
+# which are not applied on master will be binlogged as common comments.
+/*!99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /*!99999 ,(11)*/;
+show binlog events from <binlog_start>;
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+master-bin.000001	#	Query	#	#	use `test`; /* 99999 --- */INSERT /*!INTO*/ /*!10000 t1 */ VALUES(10) /* 99999 ,(11)*/
+Comparing tables master:test.t1 and slave:test.t1
+
+# Case 2:
+# -----------------------------------------------------------------
+# Verify whether it can be binlogged correctly when executing prepared
+# statement.
+PREPARE stmt FROM 'INSERT INTO /*!99999 blabla*/ t1 VALUES(60) /*!99999 ,(61)*/';
+EXECUTE stmt;
+DROP TABLE t1;
+CREATE TABLE t1(c1 INT);
+EXECUTE stmt;
+Comparing tables master:test.t1 and slave:test.t1
+
+SET @value=62;
+PREPARE stmt FROM 'INSERT INTO /*!99999 blabla */ t1 VALUES(?) /*!99999 ,(63)*/';
+EXECUTE stmt USING @value;
+DROP TABLE t1;
+CREATE TABLE t1(c1 INT);
+EXECUTE stmt USING @value;
+show binlog events from <binlog_start>;
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /* 99999 blabla*/ t1 VALUES(60) /* 99999 ,(61)*/
+master-bin.000001	#	Query	#	#	use `test`; DROP TABLE t1
+master-bin.000001	#	Query	#	#	use `test`; CREATE TABLE t1(c1 INT)
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /* 99999 blabla*/ t1 VALUES(60) /* 99999 ,(61)*/
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /* 99999 blabla */ t1 VALUES(62) /* 99999 ,(63)*/
+master-bin.000001	#	Query	#	#	use `test`; DROP TABLE t1
+master-bin.000001	#	Query	#	#	use `test`; CREATE TABLE t1(c1 INT)
+master-bin.000001	#	Query	#	#	use `test`; INSERT INTO /* 99999 blabla */ t1 VALUES(62) /* 99999 ,(63)*/
+Comparing tables master:test.t1 and slave:test.t1
+
+# Case 3:
+# -----------------------------------------------------------------
+# Verify it can restore the '!', if the it is an uncomplete conditional
+# comments
+SELECT c1 FROM /*!99999 t1 WHEREN;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*!99999 t1 WHEREN' at line 1
+DROP TABLE t1;
author	unknown <Li-Bing.Song@sun.com>	2010-07-29 11:00:57 +0800
committer	unknown <Li-Bing.Song@sun.com>	2010-07-29 11:00:57 +0800
commit	2124538d9cea1cea39b01f0b8b99052b36004fb9 (patch)
tree	49835843b47b50726e5c3eb2fde225851827a677 /mysql-test/suite/rpl/r/rpl_conditional_comments.result
parent	2529ee72ec1af6d27a4f1dc5db2c4f2f001b6120 (diff)
download	mariadb-git-2124538d9cea1cea39b01f0b8b99052b36004fb9.tar.gz