diff options
| author | Ramil Kalimullin <ramil@mysql.com> | 2010-05-25 17:56:23 +0400 |
|---|---|---|
| committer | Ramil Kalimullin <ramil@mysql.com> | 2010-05-25 17:56:23 +0400 |
| commit | eef9ce8c1ab519a150cdc67552e3eb36cfeca7ff (patch) | |
| tree | 29bcd0eee0162c43a04010092070af323f32daa0 /tests | |
| parent | 79e60f0a40d525fd1bdf924b4fef830e2aacb858 (diff) | |
| download | mariadb-git-eef9ce8c1ab519a150cdc67552e3eb36cfeca7ff.tar.gz | |
Fix for bug #53907: Table dump command can be abused to dump arbitrary tables.
Problem: one with SELECT privilege on some table may dump other table
performing COM_TABLE_DUMP command due to missed check of the table name.
Fix: check the table name.
sql/sql_parse.cc:
Fix for bug #53907: Table dump command can be abused to dump arbitrary tables.
- check given table name performing COM_TABLE_DUMP command.
tests/mysql_client_test.c:
Fix for bug #53907: Table dump command can be abused to dump arbitrary tables.
- test case.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/mysql_client_test.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 5b26b96707b..b50c1efe92b 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -16720,6 +16720,43 @@ static void test_bug53371() } +static void test_bug53907() +{ + int rc; + char buf[] = "\x4test\x14../client_test_db/t1"; + + myheader("test_bug53907"); + + rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1"); + myquery(rc); + rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53907"); + myquery(rc); + rc= mysql_query(mysql, "DROP USER 'testbug'@localhost"); + + rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)"); + myquery(rc); + rc= mysql_query(mysql, "CREATE DATABASE bug53907"); + myquery(rc); + rc= mysql_query(mysql, "GRANT SELECT ON bug53907.* to 'testbug'@localhost"); + myquery(rc); + + rc= mysql_change_user(mysql, "testbug", NULL, "bug53907"); + myquery(rc); + + rc= simple_command(mysql, COM_TABLE_DUMP, buf, sizeof(buf), 0); + DIE_UNLESS(mysql_errno(mysql) == 1103); /* ER_WRONG_TABLE_NAME */ + + rc= mysql_change_user(mysql, opt_user, opt_password, current_db); + myquery(rc); + rc= mysql_query(mysql, "DROP TABLE t1"); + myquery(rc); + rc= mysql_query(mysql, "DROP DATABASE bug53907"); + myquery(rc); + rc= mysql_query(mysql, "DROP USER 'testbug'@localhost"); + myquery(rc); +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -17024,6 +17061,7 @@ static struct my_tests_st my_tests[]= { { "test_bug20023", test_bug20023 }, { "test_bug45010", test_bug45010 }, { "test_bug53371", test_bug53371 }, + { "test_bug53907", test_bug53907 }, { 0, 0 } }; |