diff options
| author | unknown <serg@serg.mylan> | 2005-03-03 19:51:29 +0100 |
|---|---|---|
| committer | unknown <serg@serg.mylan> | 2005-03-03 19:51:29 +0100 |
| commit | 8104faa08305df5cbc848fe593444d2716ba49eb (patch) | |
| tree | 6a871c4d1335ae125f6cd13af89645ec25365e37 /sql/sql_udf.cc | |
| parent | 026bb52678a2a8ca1cc2b242b5dfaa38c56261b9 (diff) | |
| download | mariadb-git-8104faa08305df5cbc848fe593444d2716ba49eb.tar.gz | |
Fixes for bugs reported by Stefano Di Paola (stefano.dipaola@wisec.it)
include/my_global.h:
O_NOFOLLOW
isam/create.c:
create table files with O_EXCL|O_NOFOLLOW
merge/mrg_create.c:
create table files with O_EXCL|O_NOFOLLOW
myisam/mi_create.c:
create files of temporary tables with O_EXCL|O_NOFOLLOW
myisammrg/myrg_create.c:
create table files with O_EXCL|O_NOFOLLOW
mysys/mf_tempfile.c:
create temporary files with O_EXCL|O_NOFOLLOW
sql/ha_myisam.cc:
let mi_create know if the table is TEMPORARY
sql/mysql_priv.h:
--allow_suspicious_udfs
sql/mysqld.cc:
--allow_suspicious_udfs
sql/share/english/errmsg.txt:
typo
sql/sql_udf.cc:
--allow_suspicious_udfs
don't allow xxx() udf without any of xxx_init/deinit/add/reset
check paths when loading from mysql.func
sql/table.cc:
create frm of temporary table with O_EXCL|O_NOFOLLOW
Diffstat (limited to 'sql/sql_udf.cc')
| -rw-r--r-- | sql/sql_udf.cc | 98 |
1 files changed, 67 insertions, 31 deletions
diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc index 431f8a13d28..ae83cfef305 100644 --- a/sql/sql_udf.cc +++ b/sql/sql_udf.cc @@ -73,29 +73,49 @@ static HASH udf_hash; static pthread_mutex_t THR_LOCK_udf; -static udf_func *add_udf(char *name, Item_result ret, char *dl, - Item_udftype typ); +static udf_func *add_udf(char *name, Item_result ret, + char *dl, Item_udftype typ); static void del_udf(udf_func *udf); static void *find_udf_dl(const char *dl); - -static void init_syms(udf_func *tmp) +static char *init_syms(udf_func *tmp, char *nm) { - char nm[MAX_FIELD_NAME+16],*end; + char *end; + + if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name)))) + return tmp->name; - tmp->func = dlsym(tmp->dlhandle, tmp->name); end=strmov(nm,tmp->name); - (void) strmov(end,"_init"); - tmp->func_init = dlsym(tmp->dlhandle, nm); - (void) strmov(end,"_deinit"); - tmp->func_deinit = dlsym(tmp->dlhandle, nm); + if (tmp->type == UDFTYPE_AGGREGATE) { - (void)strmov( end, "_reset" ); - tmp->func_reset = dlsym( tmp->dlhandle, nm ); - (void)strmov( end, "_add" ); - tmp->func_add = dlsym( tmp->dlhandle, nm ); + (void)strmov(end, "_reset"); + if (!((tmp->func_reset= dlsym(tmp->dlhandle, nm)))) + return nm; + (void)strmov(end, "_add"); + if (!((tmp->func_add= dlsym(tmp->dlhandle, nm)))) + return nm; + } + + (void) strmov(end,"_deinit"); + tmp->func_deinit= dlsym(tmp->dlhandle, nm); + + (void) strmov(end,"_init"); + tmp->func_init= dlsym(tmp->dlhandle, nm); + + /* + to prefent loading "udf" from, e.g. libc.so + let's ensure that at least one auxiliary symbol is defined + */ + if (!tmp->func_init && !tmp->func_deinit && tmp->type != UDFTYPE_AGGREGATE) + { + if (opt_allow_suspicious_udfs) + sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), nm); + else + return nm; } + + return 0; } extern "C" byte* get_hash_key(const byte *buff,uint *length, @@ -107,7 +127,7 @@ extern "C" byte* get_hash_key(const byte *buff,uint *length, } /* -** Read all predeclared functions from func@mysql and accept all that +** Read all predeclared functions from mysql.func and accept all that ** can be used. */ @@ -149,7 +169,7 @@ void udf_init() if (open_and_lock_tables(new_thd, &tables)) { DBUG_PRINT("error",("Can't open udf table")); - sql_print_error("Can't open the mysql/func table. Please run the mysql_install_db script to create it."); + sql_print_error("Can't open the mysql.func table. Please run the mysql_install_db script to create it."); goto end; } @@ -165,10 +185,22 @@ void udf_init() if (table->fields >= 4) // New func table udftype=(Item_udftype) table->field[3]->val_int(); + /* + Ensure that the .dll doesn't have a path + This is done to ensure that only approved dll from the system + directories are used (to make this even remotely secure). + */ + if (strchr(dl_name, '/') || strlen(name) > NAME_LEN) + { + sql_print_error("Invalid row in mysql.func table for function '%.64s'", + name); + continue; + } + if (!(tmp = add_udf(name,(Item_result) table->field[1]->val_int(), dl_name, udftype))) { - sql_print_error("Can't alloc memory for udf function: name"); + sql_print_error("Can't alloc memory for udf function: '%.64s'", name); continue; } @@ -186,13 +218,15 @@ void udf_init() new_dl=1; } tmp->dlhandle = dl; - init_syms(tmp); - if (!tmp->func) { - sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), name); - del_udf(tmp); - if (new_dl) - dlclose(dl); + char buf[MAX_FIELD_NAME+16], *missing; + if ((missing= init_syms(tmp, buf))) + { + sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing); + del_udf(tmp); + if (new_dl) + dlclose(dl); + } } } if (error > 0) @@ -234,7 +268,7 @@ void udf_free() { initialized= 0; pthread_mutex_destroy(&THR_LOCK_udf); - } + } DBUG_VOID_RETURN; } @@ -398,13 +432,15 @@ int mysql_create_function(THD *thd,udf_func *udf) new_dl=1; } udf->dlhandle=dl; - init_syms(udf); - - if (udf->func == NULL) { - net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, udf->name); - goto err; + char buf[MAX_FIELD_NAME+16], *missing; + if ((missing= init_syms(udf, buf))) + { + net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, missing); + goto err; + } } + udf->name=strdup_root(&mem,udf->name); udf->dl=strdup_root(&mem,udf->dl); if (!(u_d=add_udf(udf->name,udf->returns,udf->dl,udf->type))) @@ -419,7 +455,7 @@ int mysql_create_function(THD *thd,udf_func *udf) u_d->func_reset=udf->func_reset; u_d->func_add=udf->func_add; - /* create entry in mysql/func table */ + /* create entry in mysql.func table */ bzero((char*) &tables,sizeof(tables)); tables.db= (char*) "mysql"; @@ -439,7 +475,7 @@ int mysql_create_function(THD *thd,udf_func *udf) close_thread_tables(thd); if (error) { - net_printf(&thd->net, ER_ERROR_ON_WRITE, "func@mysql",error); + net_printf(&thd->net, ER_ERROR_ON_WRITE, "mysql.func",error); del_udf(u_d); goto err; } |