Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version for 5.1)

added new function test_if_data_home_dir() which checks that
path does not contain mysql data home directory.
Using of 'mysql data home'/'any db name' in
DATA DIRECTORY & INDEX DIRECTORY is disallowed


mysql-test/r/partition.result:
  test result
mysql-test/r/partition_not_windows.result:
  result fix
mysql-test/r/partition_symlink.result:
  result fix
mysql-test/r/symlink.result:
  test result update
mysql-test/t/partition.test:
  test case
mysql-test/t/partition_not_windows.test:
  test case update
mysql-test/t/partition_symlink.test:
  test case update
mysql-test/t/symlink.test:
  test case
sql/mysql_priv.h:
  new variable mysql_unpacked_real_data_home
sql/mysqld.cc:
  new variable mysql_unpacked_real_data_home
sql/partition_info.cc:
  new check_partition_dirs() which checks
  data directory and index directory for partition elements
sql/partition_info.h:
  new check_partition_dirs() which checks
  data directory and index directory for partition elements
sql/sql_parse.cc:
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of 'mysql data home'/'any db name' in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed

5 files changed, 129 insertions, 1 deletions

diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h
index ea552414d9a..ea5e03489ba 100644
--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -748,6 +748,7 @@ bool check_string_byte_length(LEX_STRING *str, const char *err_msg,
 bool check_string_char_length(LEX_STRING *str, const char *err_msg,
                               uint max_char_length, CHARSET_INFO *cs,
                               bool no_error);
+bool test_if_data_home_dir(const char *dir);
 
 bool parse_sql(THD *thd,
                class Lex_input_stream *lip,
@@ -1789,7 +1790,8 @@ extern time_t server_start_time, flush_status_time;
 #if defined MYSQL_SERVER || defined INNODB_COMPATIBILITY_HOOKS
 extern uint mysql_data_home_len;
 extern char *mysql_data_home,server_version[SERVER_VERSION_LENGTH],
-            mysql_real_data_home[];
+            mysql_real_data_home[], mysql_unpacked_real_data_home[];
+extern CHARSET_INFO *character_set_filesystem;
 #endif /* MYSQL_SERVER || INNODB_COMPATIBILITY_HOOKS */
 #ifdef MYSQL_SERVER
 extern char *opt_mysql_tmpdir, mysql_charsets_dir[],
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index 6dc63012f55..a62d0afee86 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -510,6 +510,7 @@ char mysql_real_data_home[FN_REFLEN],
      language[FN_REFLEN], reg_ext[FN_EXTLEN], mysql_charsets_dir[FN_REFLEN],
      *opt_init_file, *opt_tc_log_file,
      def_ft_boolean_syntax[sizeof(ft_boolean_syntax)];
+char mysql_unpacked_real_data_home[FN_REFLEN];
 uint reg_ext_length;
 const key_map key_map_empty(0);
 key_map key_map_full(0);                        // Will be initialized later
@@ -8147,6 +8148,9 @@ static void fix_paths(void)
     pos[1]= 0;
   }
   convert_dirname(mysql_real_data_home,mysql_real_data_home,NullS);
+  (void) fn_format(buff, mysql_real_data_home, "", "",
+                   (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
+  (void) unpack_dirname(mysql_unpacked_real_data_home, buff);
   convert_dirname(language,language,NullS);
   (void) my_load_path(mysql_home,mysql_home,""); // Resolve current dir
   (void) my_load_path(mysql_real_data_home,mysql_real_data_home,mysql_home);
diff --git a/sql/partition_info.cc b/sql/partition_info.cc
index 3b580422da1..3130f84bd73 100644
--- a/sql/partition_info.cc
+++ b/sql/partition_info.cc
@@ -1047,4 +1047,60 @@ error:
   mem_alloc_error(size);
   DBUG_RETURN(TRUE);
 }
+
+
+/*
+  Check if path does not contain mysql data home directory
+  for partition elements with data directory and index directory
+
+  SYNOPSIS
+    check_partition_dirs()
+    part_info               partition_info struct 
+
+  RETURN VALUES
+    0	ok
+    1	error  
+*/
+
+bool check_partition_dirs(partition_info *part_info)
+{
+  if (!part_info)
+    return 0;
+
+  partition_element *part_elem;
+  List_iterator<partition_element> part_it(part_info->partitions);
+  while ((part_elem= part_it++))
+  {
+    if (part_elem->subpartitions.elements)
+    {
+      List_iterator<partition_element> sub_it(part_elem->subpartitions);
+      partition_element *subpart_elem;
+      while ((subpart_elem= sub_it++))
+      {
+        if (test_if_data_home_dir(subpart_elem->data_file_name))
+          goto dd_err;
+        if (test_if_data_home_dir(subpart_elem->index_file_name))
+          goto id_err;
+      }
+    }
+    else
+    {
+      if (test_if_data_home_dir(part_elem->data_file_name))
+        goto dd_err;
+      if (test_if_data_home_dir(part_elem->index_file_name))
+        goto id_err;
+    }
+  }
+  return 0;
+
+dd_err:
+  my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY");
+  return 1;
+
+id_err:
+  my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY");
+  return 1;
+}
+
+
 #endif /* WITH_PARTITION_STORAGE_ENGINE */
diff --git a/sql/partition_info.h b/sql/partition_info.h
index b7d13e188f3..2859aaec3be 100644
--- a/sql/partition_info.h
+++ b/sql/partition_info.h
@@ -290,6 +290,7 @@ private:
 };
 
 uint32 get_next_partition_id_range(struct st_partition_iter* part_iter);
+bool check_partition_dirs(partition_info *part_info);
 
 /* Initialize the iterator to return a single partition with given part_id */
 
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 009b81a3893..d79fbed7acb 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -2364,6 +2364,28 @@ mysql_execute_command(THD *thd)
                    "INDEX DIRECTORY option ignored");
     create_info.data_file_name= create_info.index_file_name= NULL;
 #else
+
+    if (test_if_data_home_dir(lex->create_info.data_file_name))
+    {
+      my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY");
+      res= -1;
+      break;
+    }
+    if (test_if_data_home_dir(lex->create_info.index_file_name))
+    {
+      my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY");
+      res= -1;
+      break;
+    }
+
+#ifdef WITH_PARTITION_STORAGE_ENGINE
+    if (check_partition_dirs(thd->lex->part_info))
+    {
+      res= -1;
+      break;
+    }
+#endif
+
     /* Fix names if symlinked tables */
     if (append_file_to_dir(thd, &create_info.data_file_name,
 			   create_table->table_name) ||
@@ -7354,6 +7376,49 @@ bool check_string_char_length(LEX_STRING *str, const char *err_msg,
 }
 
 
+/*
+  Check if path does not contain mysql data home directory
+  SYNOPSIS
+    test_if_data_home_dir()
+    dir                     directory
+    conv_home_dir           converted data home directory
+    home_dir_len            converted data home directory length
+
+  RETURN VALUES
+    0	ok
+    1	error  
+*/
+
+bool test_if_data_home_dir(const char *dir)
+{
+  char path[FN_REFLEN], conv_path[FN_REFLEN];
+  uint dir_len, home_dir_len= strlen(mysql_unpacked_real_data_home);
+  DBUG_ENTER("test_if_data_home_dir");
+
+  if (!dir)
+    DBUG_RETURN(0);
+
+  (void) fn_format(path, dir, "", "",
+                   (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
+  dir_len= unpack_dirname(conv_path, dir);
+
+  if (home_dir_len < dir_len)
+  {
+    if (lower_case_file_system)
+    {
+      if (!my_strnncoll(character_set_filesystem,
+                        (const uchar*) conv_path, home_dir_len,
+                        (const uchar*) mysql_unpacked_real_data_home,
+                        home_dir_len))
+        DBUG_RETURN(1);
+    }
+    else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len))
+      DBUG_RETURN(1);
+  }
+  DBUG_RETURN(0);
+}
+
+
 extern int MYSQLparse(void *thd); // from sql_yacc.cc