diff options
| author | unknown <knielsen@knielsen-hq.org> | 2010-05-09 21:30:06 +0200 |
|---|---|---|
| committer | unknown <knielsen@knielsen-hq.org> | 2010-05-09 21:30:06 +0200 |
| commit | 2c79b75831fc1d2a95c8b6259486044d078e2607 (patch) | |
| tree | 60e5c9d773785de08bedcd54721cbdf6c894f66a /sql/table.cc | |
| parent | fc5de4653d65c7cd4b894809c1a0156db6a2a42a (diff) | |
| download | mariadb-git-2c79b75831fc1d2a95c8b6259486044d078e2607.tar.gz | |
Cherry-pick fix for Bug#53371, security hole with bypassing grants using special path in db/table names.mariadb-5.1.44b
Bump MariaDB version for security fix release.
Diffstat (limited to 'sql/table.cc')
| -rw-r--r-- | sql/table.cc | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/sql/table.cc b/sql/table.cc index 733aa3e6887..8c87dc73d7d 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -494,6 +494,19 @@ inline bool is_system_table_name(const char *name, uint length) } +/** + Check if a string contains path elements +*/ + +static inline bool has_disabled_path_chars(const char *str) +{ + for (; *str; str++) + if (*str == FN_EXTCHAR || *str == '/' || *str == '\\' || *str == '~' || *str == '@') + return TRUE; + return FALSE; +} + + /* Read table definition from a binary / text based .frm file @@ -548,7 +561,8 @@ int open_table_def(THD *thd, TABLE_SHARE *share, uint db_flags) This kind of tables must have been opened only by the my_open() above. */ - if (strchr(share->table_name.str, '@') || + if (has_disabled_path_chars(share->table_name.str) || + has_disabled_path_chars(share->db.str) || !strncmp(share->db.str, MYSQL50_TABLE_NAME_PREFIX, MYSQL50_TABLE_NAME_PREFIX_LENGTH) || !strncmp(share->table_name.str, MYSQL50_TABLE_NAME_PREFIX, @@ -2718,7 +2732,6 @@ bool check_db_name(LEX_STRING *org_name) (name_length > NAME_CHAR_LEN)); /* purecov: inspected */ } - /* Allow anything as a table name, as long as it doesn't contain an ' ' at the end @@ -2726,7 +2739,7 @@ bool check_db_name(LEX_STRING *org_name) */ -bool check_table_name(const char *name, uint length) +bool check_table_name(const char *name, uint length, bool check_for_path_chars) { uint name_length= 0; // name length in symbols const char *end= name+length; @@ -2753,6 +2766,9 @@ bool check_table_name(const char *name, uint length) continue; } } + if (check_for_path_chars && + (*name == '/' || *name == '\\' || *name == '~' || *name == FN_EXTCHAR)) + return 1; #endif name++; name_length++; |