diff options
| author | Georgi Kodinov <Georgi.Kodinov@Oracle.com> | 2011-04-28 12:22:41 +0300 |
|---|---|---|
| committer | Georgi Kodinov <Georgi.Kodinov@Oracle.com> | 2011-04-28 12:22:41 +0300 |
| commit | 59d7516005af28dce97c3f4251e2d7da2e31d203 (patch) | |
| tree | 65c1bdb17e8f4d53ba52f73aef750d72c771c28b /sql/mysqld.cc | |
| parent | 0d2f7502b5d10fe3c6ac0be134e8fab660d5c6da (diff) | |
| download | mariadb-git-59d7516005af28dce97c3f4251e2d7da2e31d203.tar.gz | |
Bug #11764517: 57359: POSSIBLE TO CIRCUMVENT SECURE_FILE_PRIV
USING '..' ON WINDOWS
Backport of the fix to 5.0 (to be null-merged to 5.1).
Moved the test into the main test suite.
Made mysql-test-run.pl to not use symlinks for sdtdata as the symlinks
are now properly recognized by secure_file_priv.
Made sure the paths in load_file(), LOAD DATA and SELECT .. INTO OUTFILE
that are checked against secure_file_priv in a correct way similarly to 5.1
by the extended is_secure_file_path() backport before the comparison.
Added an extensive test with all the variants of upper/lower case,
slash/backslash and case sensitivity.
Added few comments to the code.
Diffstat (limited to 'sql/mysqld.cc')
| -rw-r--r-- | sql/mysqld.cc | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/sql/mysqld.cc b/sql/mysqld.cc index f026bab1c32..3291085f380 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -7855,6 +7855,64 @@ fn_format_relative_to_data_home(my_string to, const char *name, } +/** + Test a file path to determine if the path is compatible with the secure file + path restriction. + + @param path null terminated character string + + @return + @retval TRUE The path is secure + @retval FALSE The path isn't secure +*/ + +bool is_secure_file_path(char *path) +{ + char buff1[FN_REFLEN], buff2[FN_REFLEN]; + size_t opt_secure_file_priv_len; + /* + All paths are secure if opt_secure_file_path is 0 + */ + if (!opt_secure_file_priv) + return TRUE; + + opt_secure_file_priv_len= strlen(opt_secure_file_priv); + + if (strlen(path) >= FN_REFLEN) + return FALSE; + + if (my_realpath(buff1, path, 0)) + { + /* + The supplied file path might have been a file and not a directory. + */ + int length= (int) dirname_length(path); + if (length >= FN_REFLEN) + return FALSE; + memcpy(buff2, path, length); + buff2[length]= '\0'; + if (length == 0 || my_realpath(buff1, buff2, 0)) + return FALSE; + } + convert_dirname(buff2, buff1, NullS); + if (!lower_case_file_system) + { + if (strncmp(opt_secure_file_priv, buff2, opt_secure_file_priv_len)) + return FALSE; + } + else + { + if (files_charset_info->coll->strnncoll(files_charset_info, + (uchar *) buff2, strlen(buff2), + (uchar *) opt_secure_file_priv, + opt_secure_file_priv_len, + TRUE)) + return FALSE; + } + return TRUE; +} + + static void fix_paths(void) { char buff[FN_REFLEN],*pos; |