diff options
| author | unknown <knielsen@knielsen-hq.org> | 2010-05-09 21:30:06 +0200 |
|---|---|---|
| committer | unknown <knielsen@knielsen-hq.org> | 2010-05-09 21:30:06 +0200 |
| commit | fcfb218f71b7d371a10df020994fc0a618639327 (patch) | |
| tree | 60e5c9d773785de08bedcd54721cbdf6c894f66a /sql/sql_table.cc | |
| parent | 07bfc5a2d6ebaa1a0da406177e443948ef93f5c7 (diff) | |
| download | mariadb-git-fcfb218f71b7d371a10df020994fc0a618639327.tar.gz | |
Cherry-pick fix for Bug#53371, security hole with bypassing grants using special path in db/table names.
Bump MariaDB version for security fix release.
Diffstat (limited to 'sql/sql_table.cc')
| -rw-r--r-- | sql/sql_table.cc | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 6d20ea0d3e5..d7376318f6b 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -434,7 +434,21 @@ uint tablename_to_filename(const char *from, char *to, uint to_length) DBUG_PRINT("enter", ("from '%s'", from)); if ((length= check_n_cut_mysql50_prefix(from, to, to_length))) + { + /* + Check if the name supplied is a valid mysql 5.0 name and + make the name a zero length string if it's not. + Note that just returning zero length is not enough : + a lot of places don't check the return value and expect + a zero terminated string. + */ + if (check_table_name(to, length, TRUE)) + { + to[0]= 0; + length= 0; + } DBUG_RETURN(length); + } length= strconvert(system_charset_info, from, &my_charset_filename, to, to_length, &errors); if (check_if_legal_tablename(to) && |