14 files changed, 148 insertions, 21 deletions

diff --git a/extra/libevent/Makefile.am b/extra/libevent/Makefile.am
index 702c07c6eeb..1c9066c3122 100644
--- a/extra/libevent/Makefile.am
+++ b/extra/libevent/Makefile.am
@@ -36,4 +36,4 @@ event-config.h: $(top_builddir)/include/config.h
 	    -e 's/#ifndef /#ifndef _EVENT_/' < $(top_builddir)/include/config.h >> $@
 	echo "#endif" >> $@
 
-AM_CPPFLAGS = -Icompat -I$(top_srcdir)/include
+AM_CPPFLAGS = -I$(srcdir)/compat -I$(top_srcdir)/include
diff --git a/mysql-test/r/grant.result b/mysql-test/r/grant.result
index 61cd498a4fd..f410b26a1fe 100644
--- a/mysql-test/r/grant.result
+++ b/mysql-test/r/grant.result
@@ -1414,3 +1414,19 @@ DROP USER 'user1';
 DROP USER 'user1'@'localhost';
 DROP USER 'user2';
 DROP DATABASE db1;
+CREATE DATABASE db1;
+CREATE DATABASE db2;
+GRANT SELECT ON db1.* to 'testbug'@localhost;
+USE db2;
+CREATE TABLE t1 (a INT);
+USE test;
+SELECT * FROM `../db2/tb2`;
+ERROR 42S02: Table 'db1.../db2/tb2' doesn't exist
+SELECT * FROM `../db2`.tb2;
+ERROR 42000: SELECT command denied to user 'testbug'@'localhost' for table 'tb2'
+SELECT * FROM `#mysql50#/../db2/tb2`;
+ERROR 42S02: Table 'db1.#mysql50#/../db2/tb2' doesn't exist
+DROP USER 'testbug'@localhost;
+DROP TABLE db2.t1;
+DROP DATABASE db1;
+DROP DATABASE db2;
diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test
index e89650c7aec..5bdb3ebe9bf 100644
--- a/mysql-test/t/grant.test
+++ b/mysql-test/t/grant.test
@@ -1525,5 +1525,30 @@ DROP USER 'user1'@'localhost';
 DROP USER 'user2';
 DROP DATABASE db1;
 
+
+#
+# Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
+#
+
+CREATE DATABASE db1;
+CREATE DATABASE db2;
+GRANT SELECT ON db1.* to 'testbug'@localhost;
+USE db2;
+CREATE TABLE t1 (a INT);
+USE test;
+connect (con1,localhost,testbug,,db1);
+--error ER_NO_SUCH_TABLE
+SELECT * FROM `../db2/tb2`;
+--error ER_TABLEACCESS_DENIED_ERROR
+SELECT * FROM `../db2`.tb2;
+--error ER_NO_SUCH_TABLE
+SELECT * FROM `#mysql50#/../db2/tb2`;
+connection default;
+disconnect con1;
+DROP USER 'testbug'@localhost;
+DROP TABLE db2.t1;
+DROP DATABASE db1;
+DROP DATABASE db2;
+
 # Wait till we reached the initial number of concurrent sessions
 --source include/wait_until_count_sessions.inc
diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index f0db25be79a..2563c49280e 100755
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -56,22 +56,22 @@ SET(pkgdatadir          ${prefix}/share)
 SET(localstatedir       ${prefix}/data)
 
 CONFIGURE_FILE(mysql_config.pl.in
-               scripts/mysql_config.pl ESCAPE_QUOTES @ONLY)
+               ${CMAKE_BINARY_DIR}/scripts/mysql_config.pl ESCAPE_QUOTES @ONLY)
 
 CONFIGURE_FILE(mysql_convert_table_format.sh
-               scripts/mysql_convert_table_format.pl ESCAPE_QUOTES @ONLY)
+               ${CMAKE_BINARY_DIR}/scripts/mysql_convert_table_format.pl ESCAPE_QUOTES @ONLY)
 
 CONFIGURE_FILE(mysql_install_db.pl.in
-               scripts/mysql_install_db.pl ESCAPE_QUOTES @ONLY)
+               ${CMAKE_BINARY_DIR}/scripts/mysql_install_db.pl ESCAPE_QUOTES @ONLY)
 
 CONFIGURE_FILE(mysql_secure_installation.pl.in
-               scripts/mysql_secure_installation.pl ESCAPE_QUOTES @ONLY)
+               ${CMAKE_BINARY_DIR}/scripts/mysql_secure_installation.pl ESCAPE_QUOTES @ONLY)
 
 CONFIGURE_FILE(mysqld_multi.sh
-               scripts/mysqld_multi.pl ESCAPE_QUOTES @ONLY)
+               ${CMAKE_BINARY_DIR}/scripts/mysqld_multi.pl ESCAPE_QUOTES @ONLY)
 
 CONFIGURE_FILE(mysqldumpslow.sh
-               scripts/mysqldumpslow.pl ESCAPE_QUOTES @ONLY)
+               ${CMAKE_BINARY_DIR}/scripts/mysqldumpslow.pl ESCAPE_QUOTES @ONLY)
 
 CONFIGURE_FILE(mysqlhotcopy.sh
-               scripts/mysqlhotcopy.pl ESCAPE_QUOTES @ONLY)
+               ${CMAKE_BINARY_DIR}/scripts/mysqlhotcopy.pl ESCAPE_QUOTES @ONLY)
diff --git a/scripts/mysqld_multi.sh b/scripts/mysqld_multi.sh
index 528a1ca2e98..3d3853bcb22 100644
--- a/scripts/mysqld_multi.sh
+++ b/scripts/mysqld_multi.sh
@@ -71,7 +71,6 @@ sub main
       print "WARNING: --config-file is deprecated and will be removed\n";
       print "in MySQL 5.6.  Please use --defaults-extra-file instead\n";
     }
-   }
   }
 
   foreach (@defaults_options)
diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h
index c178f348206..791b7e7eca2 100644
--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -2339,7 +2339,7 @@ void update_create_info_from_table(HA_CREATE_INFO *info, TABLE *form);
 int rename_file_ext(const char * from,const char * to,const char * ext);
 bool check_db_name(LEX_STRING *db);
 bool check_column_name(const char *name);
-bool check_table_name(const char *name, uint length);
+bool check_table_name(const char *name, uint length, bool check_for_path_chars);
 char *get_field(MEM_ROOT *mem, Field *field);
 bool get_field(MEM_ROOT *mem, Field *field, class String *res);
 int wild_case_compare(CHARSET_INFO *cs, const char *str,const char *wildstr);
diff --git a/sql/partition_info.cc b/sql/partition_info.cc
index e7d3e842903..0de8e478f03 100644
--- a/sql/partition_info.cc
+++ b/sql/partition_info.cc
@@ -972,7 +972,7 @@ bool partition_info::check_partition_info(THD *thd, handlerton **eng_type,
           part_elem->engine_type= default_engine_type;
         }
         if (check_table_name(part_elem->partition_name,
-                             strlen(part_elem->partition_name)))
+                             strlen(part_elem->partition_name), FALSE))
         {
           my_error(ER_WRONG_PARTITION_NAME, MYF(0));
           goto end;
@@ -990,7 +990,7 @@ bool partition_info::check_partition_info(THD *thd, handlerton **eng_type,
         {
           sub_elem= sub_it++;
           if (check_table_name(sub_elem->partition_name,
-                               strlen(sub_elem->partition_name)))
+                               strlen(sub_elem->partition_name), FALSE))
           {
             my_error(ER_WRONG_PARTITION_NAME, MYF(0));
             goto end;
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 62a0db03c3d..7d57b659044 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -1270,6 +1270,11 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
                                 system_charset_info, packet, db_length,
                                 thd->charset(), &dummy_errors);
     db_buff[db_length]= '\0';
+    if (check_table_name(db_buff, db_length, FALSE))
+    {
+      my_error(ER_WRONG_TABLE_NAME, MYF(0), db_buff);
+      break;
+    }
     table_list.alias= table_list.table_name= db_buff;
     if (!(fields= (char *) thd->memdup(wildcard, query_length + 1)))
       break;
@@ -6276,7 +6281,7 @@ TABLE_LIST *st_select_lex::add_table_to_list(THD *thd,
     DBUG_RETURN(0);				// End of memory
   alias_str= alias ? alias->str : table->table.str;
   if (!test(table_options & TL_OPTION_ALIAS) && 
-      check_table_name(table->table.str, table->table.length))
+      check_table_name(table->table.str, table->table.length, FALSE))
   {
     my_error(ER_WRONG_TABLE_NAME, MYF(0), table->table.str);
     DBUG_RETURN(0);
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 279c4bcac60..e4fcc5032d3 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -10991,6 +10991,11 @@ create_internal_tmp_table_from_heap2(THD *thd, TABLE *table,
   if (table->s->db_type() != heap_hton || 
       error != HA_ERR_RECORD_FILE_FULL)
   {
+    /*
+      We don't want this error to be converted to a warning, e.g. in case of
+      INSERT IGNORE ... SELECT.
+    */
+    thd->fatal_error();
     table->file->print_error(error,MYF(0));
     DBUG_RETURN(1);
   }
diff --git a/sql/sql_table.cc b/sql/sql_table.cc
index 5aede352708..3dd322ae20b 100644
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -428,7 +428,21 @@ uint tablename_to_filename(const char *from, char *to, uint to_length)
   DBUG_PRINT("enter", ("from '%s'", from));
 
   if ((length= check_n_cut_mysql50_prefix(from, to, to_length)))
+  {
+    /*
+      Check if the name supplied is a valid mysql 5.0 name and 
+      make the name a zero length string if it's not.
+      Note that just returning zero length is not enough : 
+      a lot of places don't check the return value and expect 
+      a zero terminated string.
+    */  
+    if (check_table_name(to, length, TRUE))
+    {
+      to[0]= 0;
+      length= 0;
+    }
     DBUG_RETURN(length);
+  }
   length= strconvert(system_charset_info, from,
                      &my_charset_filename, to, to_length, &errors);
   if (check_if_legal_tablename(to) &&
diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
index e5deb2c7768..9702128c9a0 100644
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -6345,7 +6345,7 @@ alter_list_item:
             {
               MYSQL_YYABORT;
             }
-            if (check_table_name($3->table.str,$3->table.length) ||
+            if (check_table_name($3->table.str,$3->table.length, FALSE) ||
                 ($3->db.str && check_db_name(&$3->db)))
             {
               my_error(ER_WRONG_TABLE_NAME, MYF(0), $3->table.str);
diff --git a/sql/table.cc b/sql/table.cc
index ac026120964..dc824353166 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -501,6 +501,19 @@ inline bool is_system_table_name(const char *name, uint length)
 }
 
 
+/**
+  Check if a string contains path elements
+*/  
+
+static inline bool has_disabled_path_chars(const char *str)
+{
+  for (; *str; str++)
+    if (*str == FN_EXTCHAR || *str == '/' || *str == '\\' || *str == '~' || *str == '@')
+      return TRUE;
+  return FALSE;
+}
+
+
 /*
   Read table definition from a binary / text based .frm file
   
@@ -555,7 +568,8 @@ int open_table_def(THD *thd, TABLE_SHARE *share, uint db_flags)
         This kind of tables must have been opened only by the
         my_open() above.
     */
-    if (strchr(share->table_name.str, '@') ||
+    if (has_disabled_path_chars(share->table_name.str) ||
+        has_disabled_path_chars(share->db.str) ||
         !strncmp(share->db.str, MYSQL50_TABLE_NAME_PREFIX,
                  MYSQL50_TABLE_NAME_PREFIX_LENGTH) ||
         !strncmp(share->table_name.str, MYSQL50_TABLE_NAME_PREFIX,
@@ -3161,7 +3175,6 @@ bool check_db_name(LEX_STRING *org_name)
             (name_length > NAME_CHAR_LEN)); /* purecov: inspected */
 }
 
-
 /*
   Allow anything as a table name, as long as it doesn't contain an
   ' ' at the end
@@ -3169,7 +3182,7 @@ bool check_db_name(LEX_STRING *org_name)
 */
 
 
-bool check_table_name(const char *name, uint length)
+bool check_table_name(const char *name, uint length, bool check_for_path_chars)
 {
   uint name_length= 0;  // name length in symbols
   const char *end= name+length;
@@ -3196,6 +3209,9 @@ bool check_table_name(const char *name, uint length)
         continue;
       }
     }
+    if (check_for_path_chars &&
+        (*name == '/' || *name == '\\' || *name == '~' || *name == FN_EXTCHAR))
+      return 1;
 #endif
     name++;
     name_length++;
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
index 3cd3179ef69..0be541f7caa 100644
--- a/tests/mysql_client_test.c
+++ b/tests/mysql_client_test.c
@@ -18093,6 +18093,50 @@ static void test_bug44495()
   DBUG_VOID_RETURN;
 }
 
+static void test_bug53371()
+{
+  int rc;
+  MYSQL_RES *result;
+
+  myheader("test_bug53371");
+
+  rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+
+  rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)");
+  myquery(rc);
+  rc= mysql_query(mysql, "CREATE DATABASE bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost");
+  myquery(rc);
+
+  rc= mysql_change_user(mysql, "testbug", NULL, "bug53371");
+  myquery(rc);
+
+  rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1");
+  DIE_UNLESS(rc);
+  DIE_UNLESS(mysql_errno(mysql) == 1142);
+
+  result= mysql_list_fields(mysql, "../client_test_db/t1", NULL);
+  DIE_IF(result);
+
+  result= mysql_list_fields(mysql, "#mysql50#/../client_test_db/t1", NULL);
+  DIE_IF(result);
+
+  rc= mysql_change_user(mysql, opt_user, opt_password, current_db);
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP TABLE t1");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP DATABASE bug53371");
+  myquery(rc);
+  rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
+  myquery(rc);
+}
+
+
 /*
   Read and parse arguments and MySQL options from my.cnf
 */
@@ -18402,6 +18446,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug30472", test_bug30472 },
   { "test_bug20023", test_bug20023 },
   { "test_bug45010", test_bug45010 },
+  { "test_bug53371", test_bug53371 },
   { "test_bug31418", test_bug31418 },
   { "test_bug31669", test_bug31669 },
   { "test_bug28386", test_bug28386 },
diff --git a/win/make_mariadb_win_dist b/win/make_mariadb_win_dist
index 9d0b3b26af3..67d23e55b8e 100644
--- a/win/make_mariadb_win_dist
+++ b/win/make_mariadb_win_dist
@@ -16,12 +16,14 @@ fi
 
 set -x
 
-win/configure-mariadb.sh
+if [ "x_$1" != "x_-nobuild" ]; then
+  win/configure-mariadb.sh
 
-cmake -G "Visual Studio 9 2008"
+  cmake -G "Visual Studio 9 2008"
 
-devenv.com MySQL.sln /build RelWithDebInfo
-devenv.com MySQL.sln /build Debug
+  devenv.com MySQL.sln /build RelWithDebInfo
+  devenv.com MySQL.sln /build Debug
+fi
 
 # TODO extract version number
 VER=`cat configure.in |