diff options
-rw-r--r-- | mysql-test/r/grant_lowercase.result | 20 | ||||
-rw-r--r-- | mysql-test/t/grant_lowercase.opt | 1 | ||||
-rw-r--r-- | mysql-test/t/grant_lowercase.test | 30 | ||||
-rw-r--r-- | sql/sql_acl.cc | 37 |
4 files changed, 81 insertions, 7 deletions
diff --git a/mysql-test/r/grant_lowercase.result b/mysql-test/r/grant_lowercase.result new file mode 100644 index 00000000000..489f990daf1 --- /dev/null +++ b/mysql-test/r/grant_lowercase.result @@ -0,0 +1,20 @@ +grant file on *.* to user1@localhost with grant option; +grant select on `a%`.* to user1@localhost with grant option; +grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret'; +ERROR 42000: Incorrect database name 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' +drop user user1@localhost; +call mtr.add_suppression("Incorrect database name"); +alter table mysql.host modify Db varchar(200); +alter table mysql.db modify Db varchar(200); +insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200)); +Warnings: +Warning 1265 Data truncated for column 'Db' at row 1 +insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200)); +Warnings: +Warning 1265 Data truncated for column 'Db' at row 1 +flush privileges; +delete from mysql.host where db like '=>%'; +delete from mysql.db where db like '=>%'; +alter table mysql.host modify Db char(64); +alter table mysql.db modify Db char(64); +flush privileges; diff --git a/mysql-test/t/grant_lowercase.opt b/mysql-test/t/grant_lowercase.opt new file mode 100644 index 00000000000..5b0a3d41b41 --- /dev/null +++ b/mysql-test/t/grant_lowercase.opt @@ -0,0 +1 @@ +--lower-case-table-names=1 diff --git a/mysql-test/t/grant_lowercase.test b/mysql-test/t/grant_lowercase.test new file mode 100644 index 00000000000..157e13449c2 --- /dev/null +++ b/mysql-test/t/grant_lowercase.test @@ -0,0 +1,30 @@ +# test cases for strmov(tmp_db, db) -> strnmov replacement in sql_acl.cc + +# +# http://seclists.org/fulldisclosure/2012/Dec/4 +# + +# in acl_get(), check_grant_db(), mysql_grant() +grant file on *.* to user1@localhost with grant option; +grant select on `a%`.* to user1@localhost with grant option; +connect (conn1,localhost,user1,,); +connection conn1; +--error ER_WRONG_DB_NAME +grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret'; +connection default; +disconnect conn1; +drop user user1@localhost; + +# in acl_load() +call mtr.add_suppression("Incorrect database name"); +alter table mysql.host modify Db varchar(200); +alter table mysql.db modify Db varchar(200); +insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200)); +insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200)); +flush privileges; # shouldn't crash here +delete from mysql.host where db like '=>%'; +delete from mysql.db where db like '=>%'; +alter table mysql.host modify Db char(64); +alter table mysql.db modify Db char(64); +flush privileges; + diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 020aa042722..4f4c0eeb06b 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -341,7 +341,12 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables) convert db to lower case and give a warning if the db wasn't already in lower case */ - (void) strmov(tmp_name, host.db); + char *end = strnmov(tmp_name, host.db, sizeof(tmp_name)); + if (end >= tmp_name + sizeof(tmp_name)) + { + sql_print_warning(ER(ER_WRONG_DB_NAME), host.db); + continue; + } my_casedn_str(files_charset_info, host.db); if (strcmp(host.db, tmp_name) != 0) sql_print_warning("'host' entry '%s|%s' had database in mixed " @@ -595,7 +600,12 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables) convert db to lower case and give a warning if the db wasn't already in lower case */ - (void)strmov(tmp_name, db.db); + char *end = strnmov(tmp_name, db.db, sizeof(tmp_name)); + if (end >= tmp_name + sizeof(tmp_name)) + { + sql_print_warning(ER(ER_WRONG_DB_NAME), db.db); + continue; + } my_casedn_str(files_charset_info, db.db); if (strcmp(db.db, tmp_name) != 0) { @@ -2474,15 +2484,23 @@ static GRANT_NAME *name_hash_search(HASH *name_hash, const char *user, const char *tname, bool exact, bool name_tolower) { - char helping [SAFE_NAME_LEN*2+USERNAME_LENGTH+3], *name_ptr; + char helping[SAFE_NAME_LEN*2+USERNAME_LENGTH+3]; + char *hend = helping + sizeof(helping); uint len; GRANT_NAME *grant_name,*found=0; HASH_SEARCH_STATE state; - name_ptr= strmov(strmov(helping, user) + 1, db) + 1; - len = (uint) (strmov(name_ptr, tname) - helping) + 1; + char *db_ptr= strmov(helping, user) + 1; + char *tname_ptr= strnmov(db_ptr, db, hend - db_ptr) + 1; + if (tname_ptr > hend) + return 0; // invalid name = not found + char *end= strnmov(tname_ptr, tname, hend - tname_ptr) + 1; + if (end > hend) + return 0; // invalid name = not found + + len = (uint) (end - helping); if (name_tolower) - my_casedn_str(files_charset_info, name_ptr); + my_casedn_str(files_charset_info, tname_ptr); for (grant_name= (GRANT_NAME*) hash_first(name_hash, (uchar*) helping, len, &state); grant_name ; @@ -3466,7 +3484,12 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list, if (lower_case_table_names && db) { - strmov(tmp_db,db); + char *end= strnmov(tmp_db,db, sizeof(tmp_db)); + if (end >= tmp_db + sizeof(tmp_db)) + { + my_error(ER_WRONG_DB_NAME ,MYF(0), db); + DBUG_RETURN(TRUE); + } my_casedn_str(files_charset_info, tmp_db); db=tmp_db; } |