summaryrefslogtreecommitdiff
path: root/mysys
diff options
context:
space:
mode:
authorRavinder Thakur <ravinder.thakur@oracle.com>2012-12-13 20:33:44 +0530
committerRavinder Thakur <ravinder.thakur@oracle.com>2012-12-13 20:33:44 +0530
commit9258223200047222e52463b49f6f1c83ca042075 (patch)
tree2e52b0a9f3f63f6ea4ed62f0f9c3209cd57865ba /mysys
parenta01e70c27843ad6f3c1d4d7a9922dedcb8941b6b (diff)
downloadmariadb-git-9258223200047222e52463b49f6f1c83ca042075.tar.gz
bug#11761752: DO NOT ALLOW USE OF ALTERNATE DATA STREAMS ON NTFS FILESYSTEM.
File names with colon are being disallowed because of the Alternate Data Stream (ADS) feature of NTFS that could be misused. ADS allows data to be written to alternate streams of a normal file. The data in alternate streams cannot be seen by normal tools on Windows (explorer, cmd.exe). As a result someone can use this feature to hide large amount of data in alternate streams and admins will have no easy way of figuring out the files that are using that disk space. The fix also disallows ADS in the scenarios where file name is passed as some dynamic variable. An important thing about the fix is that it DOES NOT disallow ADS file names if they are not dynamic (i.e. if the file is created by using some option that needs local access to the MySQL server, for example error log file). The reasoning is that if some MySQL option related to files requires access to the local machine (it is not dynamic), then user can very well create data in ADS by some other means. This fixes only those scenarios which can allow users to create data in ADS over the wire. File names with colon are being disallowed only on Windows. UNIX (Linux in particular) supports NTFS, but it will not be a common scenario for someone to configure a NTFS file system to store MySQL data on Linux. Changes in file bug11761752-master.opt are needed due to bug number 15937938.
Diffstat (limited to 'mysys')
-rw-r--r--mysys/my_access.c61
-rw-r--r--mysys/my_fopen.c5
-rw-r--r--mysys/my_open.c7
3 files changed, 73 insertions, 0 deletions
diff --git a/mysys/my_access.c b/mysys/my_access.c
index 43917da7f98..4734fbac8ba 100644
--- a/mysys/my_access.c
+++ b/mysys/my_access.c
@@ -156,6 +156,67 @@ int check_if_legal_tablename(const char *name)
}
+#ifdef __WIN__
+/**
+ Checks if the drive letter supplied is valid or not. Valid drive
+ letters are A to Z, both lower case and upper case.
+
+ @param drive_letter : The drive letter to validate.
+
+ @return TRUE if the drive exists, FALSE otherwise.
+*/
+static my_bool does_drive_exists(char drive_letter)
+{
+ DWORD drive_mask= GetLogicalDrives();
+ drive_letter= toupper(drive_letter);
+
+ return (drive_letter >= 'A' && drive_letter <= 'Z') &&
+ (drive_mask & (0x1 << (drive_letter - 'A')));
+}
+#endif
+
+/**
+ Verifies if the file name supplied is allowed or not. On Windows
+ file names with a colon (:) are not allowed because such file names
+ store data in Alternate Data Streams which can be used to hide
+ the data.
+
+ @param name contains the file name with or without path
+ @param length contains the length of file name
+
+ @return TRUE if the file name is allowed, FALSE otherwise.
+*/
+my_bool is_filename_allowed(const char *name __attribute__((unused)),
+ size_t length __attribute__((unused)))
+{
+#ifdef __WIN__
+ /*
+ For Windows, check if the file name contains : character.
+ Start from end of path and search if the file name contains :
+ */
+ const char* ch = NULL;
+ for(ch= name + length - 1; ch >= name; --ch)
+ {
+ if (FN_LIBCHAR == *ch || '/' == *ch)
+ break;
+ else if (':' == *ch)
+ {
+ /*
+ File names like C:foobar.txt are allowed since the syntax means
+ file foobar.txt in current directory of C drive. However file
+ names likes CC:foobar are not allowed since this syntax means ADS
+ foobar in file CC.
+ */
+ return ((ch - name == 1) && does_drive_exists(*name));
+ }
+ }
+ return TRUE;
+#else
+ /* For other platforms, file names can contain colon : */
+ return TRUE;
+#endif
+} /* is_filename_allowed */
+
#if defined(__WIN__) || defined(__EMX__)
diff --git a/mysys/my_fopen.c b/mysys/my_fopen.c
index 72991490d75..75c5ec6ff8b 100644
--- a/mysys/my_fopen.c
+++ b/mysys/my_fopen.c
@@ -56,6 +56,11 @@ FILE *my_fopen(const char *filename, int flags, myf MyFlags)
errno= EACCES;
fd= 0;
}
+ else if (!is_filename_allowed(filename, strlen(filename)))
+ {
+ errno= EINVAL;
+ fd= 0;
+ }
else
#endif
{
diff --git a/mysys/my_open.c b/mysys/my_open.c
index fe7f65c450b..9060bb404e8 100644
--- a/mysys/my_open.c
+++ b/mysys/my_open.c
@@ -218,6 +218,13 @@ File my_sopen(const char *path, int oflag, int shflag, int pmode)
DWORD fileattrib; /* OS file attribute flags */
SECURITY_ATTRIBUTES SecurityAttributes;
+ if (!is_filename_allowed(path, strlen(path)))
+ {
+ errno= EINVAL;
+ _doserrno= 0L; /* not an OS error */
+ return -1;
+ }
+
SecurityAttributes.nLength= sizeof(SecurityAttributes);
SecurityAttributes.lpSecurityDescriptor= NULL;
SecurityAttributes.bInheritHandle= !(oflag & _O_NOINHERIT);