diff options
| author | unknown <msvensson@neptunus.(none)> | 2006-08-30 17:11:00 +0200 |
|---|---|---|
| committer | unknown <msvensson@neptunus.(none)> | 2006-08-30 17:11:00 +0200 |
| commit | d4075f6659caf5f0941dda36773c86a82468cec9 (patch) | |
| tree | cb0a6aee5cef9906d853d84c796d83bd6242572f /tests | |
| parent | 91bdf2952d0f78a514d03235754ee54813f9ae6c (diff) | |
| download | mariadb-git-d4075f6659caf5f0941dda36773c86a82468cec9.tar.gz | |
Bug#21813 An attacker has the opportunity to bypass query logging, part2
- Use the "%.*b" format when printing prepared and exeuted prepared statements to the log.
- Add test case to check that also prepared statements end up in the query log
Bug#14346 Prepared statements corrupting general log/server memory
- Use "stmt->query" when logging the newly prepared query instead of "packet"
sql/sql_prepare.cc:
mysql_stmt_prepare
- Use "%.*b" format when printing to log
- Print the query from stmt instead of "packet", packet points at the net in/out buffer and has most likely been overwritten
when result for prepare was written to client.
mysql_stmt_execute
- Use "%.*b" format when printing to log
- Print the query from thd as the expanded query has been specifially set to be valid also after restore from backup statement
tests/mysql_client_test.c:
Add tests for bug#21813 to already existing test for bug#17667. Add functionality for also executing prepared statements and making sure they end up in the log as well.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/mysql_client_test.c | 89 |
1 files changed, 66 insertions, 23 deletions
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 427994f832f..8377c757138 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -14912,22 +14912,31 @@ static void test_bug15613() /* Bug#17667: An attacker has the opportunity to bypass query logging. + + Note! Also tests Bug#21813, where prepared statements are used to + run queries */ static void test_bug17667() { int rc; + MYSQL_STMT *stmt; + enum query_type { QT_NORMAL, QT_PREPARED}; struct buffer_and_length { + enum query_type qt; const char *buffer; const uint length; } statements[]= { - { "drop table if exists bug17667", 29 }, - { "create table bug17667 (c varchar(20))", 37 }, - { "insert into bug17667 (c) values ('regular') /* NUL=\0 with comment */", 68 }, - { "insert into bug17667 (c) values ('NUL=\0 in value')", 50 }, - { "insert into bug17667 (c) values ('5 NULs=\0\0\0\0\0')", 48 }, - { "/* NUL=\0 with comment */ insert into bug17667 (c) values ('encore')", 67 }, - { "drop table bug17667", 19 }, - { NULL, 0 } }; + { QT_NORMAL, "drop table if exists bug17667", 29 }, + { QT_NORMAL, "create table bug17667 (c varchar(20))", 37 }, + { QT_NORMAL, "insert into bug17667 (c) values ('regular') /* NUL=\0 with comment */", 68 }, + { QT_PREPARED, + "insert into bug17667 (c) values ('prepared') /* NUL=\0 with comment */", 69, }, + { QT_NORMAL, "insert into bug17667 (c) values ('NUL=\0 in value')", 50 }, + { QT_NORMAL, "insert into bug17667 (c) values ('5 NULs=\0\0\0\0\0')", 48 }, + { QT_PREPARED, "insert into bug17667 (c) values ('6 NULs=\0\0\0\0\0\0')", 50 }, + { QT_NORMAL, "/* NUL=\0 with comment */ insert into bug17667 (c) values ('encore')", 67 }, + { QT_NORMAL, "drop table bug17667", 19 }, + { QT_NORMAL, NULL, 0 } }; struct buffer_and_length *statement_cursor; FILE *log_file; @@ -14937,9 +14946,36 @@ static void test_bug17667() for (statement_cursor= statements; statement_cursor->buffer != NULL; statement_cursor++) { - rc= mysql_real_query(mysql, statement_cursor->buffer, - statement_cursor->length); - myquery(rc); + if (statement_cursor->qt == QT_NORMAL) + { + /* Run statement as normal query */ + rc= mysql_real_query(mysql, statement_cursor->buffer, + statement_cursor->length); + myquery(rc); + } + else if (statement_cursor->qt == QT_PREPARED) + { + /* + Run as prepared statement + + NOTE! All these queries should be in the log twice, + one time for prepare and one time for execute + */ + stmt= mysql_stmt_init(mysql); + + rc= mysql_stmt_prepare(stmt, statement_cursor->buffer, + statement_cursor->length); + check_execute(stmt, rc); + + rc= mysql_stmt_execute(stmt); + check_execute(stmt, rc); + + mysql_stmt_close(stmt); + } + else + { + assert(0==1); + } } /* Make sure the server has written the logs to disk before reading it */ @@ -14957,29 +14993,36 @@ static void test_bug17667() for (statement_cursor= statements; statement_cursor->buffer != NULL; statement_cursor++) { + int expected_hits= 1, hits= 0; char line_buffer[MAX_TEST_QUERY_LENGTH*2]; /* more than enough room for the query and some marginalia. */ + /* Prepared statments always occurs twice in log */ + if (statement_cursor->qt == QT_PREPARED) + expected_hits++; + + /* Loop until we found expected number of log entries */ do { - memset(line_buffer, '/', MAX_TEST_QUERY_LENGTH*2); + /* Loop until statement is found in log */ + do { + memset(line_buffer, '/', MAX_TEST_QUERY_LENGTH*2); - if(fgets(line_buffer, MAX_TEST_QUERY_LENGTH*2, log_file) == NULL) - { - /* If fgets returned NULL, it indicates either error or EOF */ - if (feof(log_file)) - DIE("Found EOF before all statements where found"); - else + if(fgets(line_buffer, MAX_TEST_QUERY_LENGTH*2, log_file) == NULL) { + /* If fgets returned NULL, it indicates either error or EOF */ + if (feof(log_file)) + DIE("Found EOF before all statements where found"); + fprintf(stderr, "Got error %d while reading from file\n", ferror(log_file)); DIE("Read error"); } - } - /* Print the line */ - printf("%s", line_buffer); - } while (my_memmem(line_buffer, MAX_TEST_QUERY_LENGTH*2, - statement_cursor->buffer, statement_cursor->length) == NULL); + } while (my_memmem(line_buffer, MAX_TEST_QUERY_LENGTH*2, + statement_cursor->buffer, + statement_cursor->length) == NULL); + hits++; + } while (hits < expected_hits); printf("Found statement starting with \"%s\"\n", statement_cursor->buffer); |