bug#11761752: DO NOT ALLOW USE OF ALTERNATE DATA STREAMS ON NTFS FILESYSTEM.

File names with colon are being disallowed because of the Alternate Data 
Stream (ADS) feature of NTFS that could be misused. ADS allows data to be 
written to alternate streams of a normal file. The data in alternate 
streams cannot be seen by normal tools on Windows (explorer, cmd.exe). As 
a result someone can use this feature to hide large amount of data in 
alternate streams and admins will have no easy way of figuring out the 
files that are using that disk space. The fix also disallows ADS in the 
scenarios where file name is passed as some dynamic variable.

An important thing about the fix is that it DOES NOT disallow ADS file 
names if they are not dynamic (i.e. if the file is created by using some 
option that needs local access to the MySQL server, for example error log
file). The reasoning is that if some MySQL option related to files 
requires access to the local machine (it is not dynamic), then user can very 
well create data in ADS by some other means. This fixes only those scenarios 
which can allow users to create data in ADS over the wire.

File names with colon are being disallowed only on Windows. UNIX 
(Linux in particular) supports NTFS, but it will not be a common 
scenario for someone to configure a NTFS file system to store MySQL 
data on Linux.

Changes in file bug11761752-master.opt are needed due to 
bug number 15937938.

3 files changed, 73 insertions, 0 deletions

diff --git a/mysys/my_access.c b/mysys/my_access.c
index 43917da7f98..4734fbac8ba 100644
--- a/mysys/my_access.c
+++ b/mysys/my_access.c
@@ -156,6 +156,67 @@ int check_if_legal_tablename(const char *name)
 }
 
 
+#ifdef __WIN__
+/**
+  Checks if the drive letter supplied is valid or not. Valid drive
+  letters are A to Z, both lower case and upper case.
+
+  @param drive_letter : The drive letter to validate.
+ 
+  @return TRUE if the drive exists, FALSE otherwise.
+*/
+static my_bool does_drive_exists(char drive_letter)
+{
+  DWORD drive_mask= GetLogicalDrives();
+  drive_letter= toupper(drive_letter);
+
+  return (drive_letter >= 'A' && drive_letter <= 'Z') &&
+         (drive_mask & (0x1 << (drive_letter - 'A')));
+}
+#endif
+
+/**
+  Verifies if the file name supplied is allowed or not. On Windows
+  file names with a colon (:) are not allowed because such file names
+  store data in Alternate Data Streams which can be used to hide 
+  the data.
+
+  @param name contains the file name with or without path
+  @param length contains the length of file name
+ 
+  @return TRUE if the file name is allowed, FALSE otherwise.
+*/
+my_bool is_filename_allowed(const char *name __attribute__((unused)),
+                            size_t length __attribute__((unused)))
+{
+#ifdef __WIN__
+  /* 
+    For Windows, check if the file name contains : character.
+    Start from end of path and search if the file name contains :
+  */
+  const char* ch = NULL;
+  for(ch= name + length - 1; ch >= name; --ch)
+  {
+    if (FN_LIBCHAR == *ch || '/' == *ch)
+      break;
+    else if (':' == *ch)
+    {
+      /*
+        File names like C:foobar.txt are allowed since the syntax means
+        file foobar.txt in current directory of C drive. However file
+        names likes CC:foobar are not allowed since this syntax means ADS
+        foobar in file CC.
+      */
+      return ((ch - name == 1) && does_drive_exists(*name));
+    }
+  }
+  return TRUE;
+#else
+  /* For other platforms, file names can contain colon : */
+  return TRUE;
+#endif
+} /* is_filename_allowed */
+
 #if defined(__WIN__) || defined(__EMX__)
 
 
diff --git a/mysys/my_fopen.c b/mysys/my_fopen.c
index 72991490d75..75c5ec6ff8b 100644
--- a/mysys/my_fopen.c
+++ b/mysys/my_fopen.c
@@ -56,6 +56,11 @@ FILE *my_fopen(const char *filename, int flags, myf MyFlags)
     errno= EACCES;
     fd= 0;
   }
+  else if (!is_filename_allowed(filename, strlen(filename)))

+  {
+    errno= EINVAL;
+    fd= 0;
+  }
   else
 #endif
   {
diff --git a/mysys/my_open.c b/mysys/my_open.c
index fe7f65c450b..9060bb404e8 100644
--- a/mysys/my_open.c
+++ b/mysys/my_open.c
@@ -218,6 +218,13 @@ File my_sopen(const char *path, int oflag, int shflag, int pmode)
   DWORD fileattrib;                       /* OS file attribute flags */
   SECURITY_ATTRIBUTES SecurityAttributes;
 
+  if (!is_filename_allowed(path, strlen(path)))
+  {
+    errno= EINVAL;
+    _doserrno= 0L;        /* not an OS error */
+    return -1;
+  }
+
   SecurityAttributes.nLength= sizeof(SecurityAttributes);
   SecurityAttributes.lpSecurityDescriptor= NULL;
   SecurityAttributes.bInheritHandle= !(oflag & _O_NOINHERIT);