6 files changed, 96 insertions, 48 deletions

diff --git a/sql/ha_myisam.cc b/sql/ha_myisam.cc
index a7beae664b9..7ddb7ca25ed 100644
--- a/sql/ha_myisam.cc
+++ b/sql/ha_myisam.cc
@@ -1334,7 +1334,7 @@ int ha_myisam::create(const char *name, register TABLE *table_arg,
 		      HA_CREATE_INFO *info)
 {
   int error;
-  uint i,j,recpos,minpos,fieldpos,temp_length,length;
+  uint i,j,recpos,minpos,fieldpos,temp_length,length, create_flags= 0;
   bool found_real_auto_increment=0;
   enum ha_base_keytype type;
   char buff[FN_REFLEN];
@@ -1510,17 +1510,21 @@ int ha_myisam::create(const char *name, register TABLE *table_arg,
   create_info.data_file_name= info->data_file_name;
   create_info.index_file_name=info->index_file_name;
 
+  if (info->options & HA_LEX_CREATE_TMP_TABLE)
+    create_flags|= HA_CREATE_TMP_TABLE;
+  if (options & HA_OPTION_PACK_RECORD)
+    create_flags|= HA_PACK_RECORD;
+  if (options & HA_OPTION_CHECKSUM)
+    create_flags|= HA_CREATE_CHECKSUM;
+  if (options & HA_OPTION_DELAY_KEY_WRITE)
+    create_flags|= HA_CREATE_DELAY_KEY_WRITE;
+
   /* TODO: Check that the following fn_format is really needed */
   error=mi_create(fn_format(buff,name,"","",2+4),
 		  table_arg->keys,keydef,
 		  (uint) (recinfo_pos-recinfo), recinfo,
 		  0, (MI_UNIQUEDEF*) 0,
-		  &create_info,
-		  (((options & HA_OPTION_PACK_RECORD) ? HA_PACK_RECORD : 0) |
-		   ((options & HA_OPTION_CHECKSUM) ? HA_CREATE_CHECKSUM : 0) |
-		   ((options & HA_OPTION_DELAY_KEY_WRITE) ?
-		    HA_CREATE_DELAY_KEY_WRITE : 0)));
-
+		  &create_info, create_flags);
 
   my_free((gptr) recinfo,MYF(0));
   DBUG_RETURN(error);
diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h
index 9e395aa37da..1859daa6fc3 100644
--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -915,7 +915,7 @@ extern my_bool opt_sql_bin_update, opt_safe_user_create, opt_no_mix_types;
 extern my_bool opt_safe_show_db, opt_local_infile;
 extern my_bool opt_slave_compressed_protocol, use_temp_pool;
 extern my_bool opt_readonly, lower_case_file_system;
-extern my_bool opt_enable_named_pipe, opt_sync_frm;
+extern my_bool opt_enable_named_pipe, opt_sync_frm, opt_allow_suspicious_udfs;
 extern my_bool opt_secure_auth;
 extern uint opt_crash_binlog_innodb;
 extern char *shared_memory_base_name, *mysqld_unix_port;
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index d18a4e2b94f..d722dd5839c 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -290,7 +290,7 @@ const char *opt_ndbcluster_connectstring= 0;
 my_bool	opt_ndb_shm, opt_ndb_optimized_node_selection;
 #endif
 my_bool opt_readonly, use_temp_pool, relay_log_purge;
-my_bool opt_sync_bdb_logs, opt_sync_frm;
+my_bool opt_sync_bdb_logs, opt_sync_frm, opt_allow_suspicious_udfs;
 my_bool opt_secure_auth= 0;
 my_bool opt_short_log_format= 0;
 my_bool opt_log_queries_not_using_indexes= 0;
@@ -4135,7 +4135,7 @@ enum options_mysqld
   OPT_BDB_MAX_LOCK,
   OPT_ERROR_LOG_FILE,
   OPT_DEFAULT_WEEK_FORMAT,
-  OPT_RANGE_ALLOC_BLOCK_SIZE,
+  OPT_RANGE_ALLOC_BLOCK_SIZE, OPT_ALLOW_SUSPICIOUS_UDFS,
   OPT_QUERY_ALLOC_BLOCK_SIZE, OPT_QUERY_PREALLOC_SIZE,
   OPT_TRANS_ALLOC_BLOCK_SIZE, OPT_TRANS_PREALLOC_SIZE,
   OPT_SYNC_FRM, OPT_SYNC_BINLOG,
@@ -4175,6 +4175,13 @@ struct my_option my_long_options[] =
 #endif /* HAVE_REPLICATION */
   {"ansi", 'a', "Use ANSI SQL syntax instead of MySQL syntax. This mode will also set transaction isolation level 'serializable'.", 0, 0, 0,
    GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
+  {"allow-suspicious-udfs", OPT_ALLOW_SUSPICIOUS_UDFS,
+   "Allows to use UDF's consisting of only one symbol xxx() "
+   "without corresponing xxx_init() or xxx_deinit(). That also means "
+   "that one can load any function from any library, for example exit() "
+   "from libc.so",
+   (gptr*) &opt_allow_suspicious_udfs, (gptr*) &opt_allow_suspicious_udfs,
+   0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
   {"basedir", 'b',
    "Path to installation directory. All paths are usually resolved relative to this.",
    (gptr*) &mysql_home_ptr, (gptr*) &mysql_home_ptr, 0, GET_STR, REQUIRED_ARG,
diff --git a/sql/share/english/errmsg.txt b/sql/share/english/errmsg.txt
index 8ede3f61a0b..104a055417c 100644
--- a/sql/share/english/errmsg.txt
+++ b/sql/share/english/errmsg.txt
@@ -143,7 +143,7 @@ character-set=latin1
 "No paths allowed for shared library",
 "Function '%-.64s' already exists",
 "Can't open shared library '%-.64s' (errno: %d %-.64s)",
-"Can't find function '%-.64s' in library'",
+"Can't find function '%-.64s' in library",
 "Function '%-.64s' is not defined",
 "Host '%-.64s' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'",
 "Host '%-.64s' is not allowed to connect to this MySQL server",
diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc
index 0bb8ac8a28b..b28b1cb1f92 100644
--- a/sql/sql_udf.cc
+++ b/sql/sql_udf.cc
@@ -74,32 +74,49 @@ static HASH udf_hash;
 static rw_lock_t THR_LOCK_udf;
 
 
-static udf_func *add_udf(LEX_STRING *name, Item_result ret, char *dl,
-			 Item_udftype typ);
+static udf_func *add_udf(LEX_STRING *name, Item_result ret,
+                         char *dl, Item_udftype typ);
 static void del_udf(udf_func *udf);
 static void *find_udf_dl(const char *dl);
 
-
-static void init_syms(udf_func *tmp)
+static char *init_syms(udf_func *tmp, char *nm)
 {
-  char nm[MAX_FIELD_NAME+16],*end;
+  char *end;
+
+  if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name))))
+    return tmp->name;
+
+  end=strmov(nm,tmp->name);
 
-  tmp->func = dlsym(tmp->dlhandle, tmp->name.str);
-  end=strmov(nm,tmp->name.str);
-  (void) strmov(end,"_init");
-  tmp->func_init = dlsym(tmp->dlhandle, nm);
-  (void) strmov(end,"_deinit");
-  tmp->func_deinit = dlsym(tmp->dlhandle, nm);
   if (tmp->type == UDFTYPE_AGGREGATE)
   {
-    (void)strmov( end, "_clear" );
-    tmp->func_clear = dlsym( tmp->dlhandle, nm );
-    (void)strmov( end, "_add" );
-    tmp->func_add = dlsym( tmp->dlhandle, nm );
-    /* Give error if _clear and _add doesn't exists */
-    if (!tmp->func_clear || ! tmp->func_add)
-      tmp->func= 0;
+    (void)strmov(end, "_clear");
+    if (!((tmp->func_clear= dlsym(tmp->dlhandle, nm))))
+      return nm;
+    (void)strmov(end, "_add");
+    if (!((tmp->func_add= dlsym(tmp->dlhandle, nm))))
+      return nm;
+  }
+
+  (void) strmov(end,"_deinit");
+  tmp->func_deinit= dlsym(tmp->dlhandle, nm);
+
+  (void) strmov(end,"_init");
+  tmp->func_init= dlsym(tmp->dlhandle, nm);
+
+  /*
+    to prefent loading "udf" from, e.g. libc.so
+    let's ensure that at least one auxiliary symbol is defined
+  */
+  if (!tmp->func_init && !tmp->func_deinit && tmp->type != UDFTYPE_AGGREGATE)
+  {
+    if (opt_allow_suspicious_udfs)
+      sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), nm);
+    else
+      return nm;
   }
+
+  return 0;
 }
 
 extern "C" byte* get_hash_key(const byte *buff,uint *length,
@@ -111,7 +128,7 @@ extern "C" byte* get_hash_key(const byte *buff,uint *length,
 }
 
 /*
-** Read all predeclared functions from func@mysql and accept all that
+** Read all predeclared functions from mysql.func and accept all that
 ** can be used.
 */
 
@@ -153,7 +170,7 @@ void udf_init()
   if (simple_open_n_lock_tables(new_thd, &tables))
   {
     DBUG_PRINT("error",("Can't open udf table"));
-    sql_print_error("Can't open the mysql/func table. Please run the mysql_install_db script to create it.");
+    sql_print_error("Can't open the mysql.func table. Please run the mysql_install_db script to create it.");
     goto end;
   }
 
@@ -171,10 +188,23 @@ void udf_init()
     if (table->fields >= 4)			// New func table
       udftype=(Item_udftype) table->field[3]->val_int();
 
-    if (!(tmp = add_udf(&name,(Item_result) table->field[1]->val_int(),
-			dl_name, udftype)))
+    /*
+      Ensure that the .dll doesn't have a path
+      This is done to ensure that only approved dll from the system
+      directories are used (to make this even remotely secure).
+    */
+    if (strchr(dl_name, '/') || strlen(name) > NAME_LEN)
+    {
+      sql_print_error("Invalid row in mysql.func table for function '%.64s'",
+                      name);
+      continue;
+    }
+
+
+    if (!(tmp= add_udf(&name,(Item_result) table->field[1]->val_int(),
+                       dl_name, udftype)))
     {
-      sql_print_error("Can't alloc memory for udf function: name");
+      sql_print_error("Can't alloc memory for udf function: '%.64s'", name);
       continue;
     }
 
@@ -191,13 +221,15 @@ void udf_init()
       new_dl=1;
     }
     tmp->dlhandle = dl;
-    init_syms(tmp);
-    if (!tmp->func)
     {
-      sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), name);
-      del_udf(tmp);
-      if (new_dl)
-	dlclose(dl);
+      char buf[MAX_FIELD_NAME+16], *missing;
+      if ((missing= init_syms(tmp, buf)))
+      {
+        sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing);
+        del_udf(tmp);
+        if (new_dl)
+          dlclose(dl);
+      }
     }
   }
   if (error > 0)
@@ -406,12 +438,13 @@ int mysql_create_function(THD *thd,udf_func *udf)
     new_dl=1;
   }
   udf->dlhandle=dl;
-  init_syms(udf);
-
-  if (udf->func == NULL)
   {
-    net_printf(thd, ER_CANT_FIND_DL_ENTRY, udf->name);
-    goto err;
+    char buf[MAX_FIELD_NAME+16], *missing;
+    if ((missing= init_syms(udf, buf)))
+    {
+      net_printf(thd, ER_CANT_FIND_DL_ENTRY, missing);
+      goto err;
+    }
   }
   udf->name.str=strdup_root(&mem,udf->name.str);
   udf->dl=strdup_root(&mem,udf->dl);
@@ -427,7 +460,7 @@ int mysql_create_function(THD *thd,udf_func *udf)
   u_d->func_clear=udf->func_clear;
   u_d->func_add=udf->func_add;
 
-  /* create entry in mysql/func table */
+  /* create entry in mysql.func table */
 
   bzero((char*) &tables,sizeof(tables));
   tables.db= (char*) "mysql";
@@ -447,7 +480,7 @@ int mysql_create_function(THD *thd,udf_func *udf)
   close_thread_tables(thd);
   if (error)
   {
-    net_printf(thd, ER_ERROR_ON_WRITE, "func@mysql",error);
+    net_printf(thd, ER_ERROR_ON_WRITE, "mysql.func",error);
     del_udf(u_d);
     goto err;
   }
diff --git a/sql/table.cc b/sql/table.cc
index 064d7f1afc1..cdcd5148787 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -1229,6 +1229,10 @@ File create_frm(register my_string name, uint reclength, uchar *fileinfo,
   uint key_length;
   ulong length;
   char fill[IO_SIZE];
+  int create_flags= O_RDWR | O_TRUNC;
+
+  if (create_info->options & HA_LEX_CREATE_TMP_TABLE)
+    create_flags|= O_EXCL | O_NOFOLLOW;
 
 #if SIZEOF_OFF_T > 4
   /* Fix this when we have new .frm files;  Current limit is 4G rows (QQ) */
@@ -1243,7 +1247,7 @@ File create_frm(register my_string name, uint reclength, uchar *fileinfo,
   */
   set_if_smaller(create_info->raid_chunks, 255);
 
-  if ((file=my_create(name,CREATE_MODE,O_RDWR | O_TRUNC,MYF(MY_WME))) >= 0)
+  if ((file= my_create(name, CREATE_MODE, create_flags, MYF(MY_WME))) >= 0)
   {
     bzero((char*) fileinfo,64);
     fileinfo[0]=(uchar) 254; fileinfo[1]= 1; fileinfo[2]= FRM_VER+3; // Header