From 8104faa08305df5cbc848fe593444d2716ba49eb Mon Sep 17 00:00:00 2001
From: unknown <serg@serg.mylan>
Date: Thu, 3 Mar 2005 19:51:29 +0100
Subject: Fixes for bugs reported by Stefano Di Paola
 (stefano.dipaola@wisec.it)

include/my_global.h:
  O_NOFOLLOW
isam/create.c:
  create table files with O_EXCL|O_NOFOLLOW
merge/mrg_create.c:
  create table files with O_EXCL|O_NOFOLLOW
myisam/mi_create.c:
  create files of temporary tables with O_EXCL|O_NOFOLLOW
myisammrg/myrg_create.c:
  create table files with O_EXCL|O_NOFOLLOW
mysys/mf_tempfile.c:
  create temporary files with O_EXCL|O_NOFOLLOW
sql/ha_myisam.cc:
  let mi_create know if the table is TEMPORARY
sql/mysql_priv.h:
  --allow_suspicious_udfs
sql/mysqld.cc:
  --allow_suspicious_udfs
sql/share/english/errmsg.txt:
  typo
sql/sql_udf.cc:
  --allow_suspicious_udfs
  don't allow xxx() udf without any of xxx_init/deinit/add/reset
  check paths when loading from mysql.func
sql/table.cc:
  create frm of temporary table with O_EXCL|O_NOFOLLOW
---
 sql/sql_udf.cc | 98 +++++++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 67 insertions(+), 31 deletions(-)

(limited to 'sql/sql_udf.cc')

diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc
index 431f8a13d28..ae83cfef305 100644
--- a/sql/sql_udf.cc
+++ b/sql/sql_udf.cc
@@ -73,29 +73,49 @@ static HASH udf_hash;
 static pthread_mutex_t THR_LOCK_udf;
 
 
-static udf_func *add_udf(char *name, Item_result ret, char *dl,
-			 Item_udftype typ);
+static udf_func *add_udf(char *name, Item_result ret,
+                         char *dl, Item_udftype typ);
 static void del_udf(udf_func *udf);
 static void *find_udf_dl(const char *dl);
 
-
-static void init_syms(udf_func *tmp)
+static char *init_syms(udf_func *tmp, char *nm)
 {
-  char nm[MAX_FIELD_NAME+16],*end;
+  char *end;
+
+  if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name))))
+    return tmp->name;
 
-  tmp->func = dlsym(tmp->dlhandle, tmp->name);
   end=strmov(nm,tmp->name);
-  (void) strmov(end,"_init");
-  tmp->func_init = dlsym(tmp->dlhandle, nm);
-  (void) strmov(end,"_deinit");
-  tmp->func_deinit = dlsym(tmp->dlhandle, nm);
+
   if (tmp->type == UDFTYPE_AGGREGATE)
   {
-    (void)strmov( end, "_reset" );
-    tmp->func_reset = dlsym( tmp->dlhandle, nm );
-    (void)strmov( end, "_add" );
-    tmp->func_add = dlsym( tmp->dlhandle, nm );
+    (void)strmov(end, "_reset");
+    if (!((tmp->func_reset= dlsym(tmp->dlhandle, nm))))
+      return nm;
+    (void)strmov(end, "_add");
+    if (!((tmp->func_add= dlsym(tmp->dlhandle, nm))))
+      return nm;
+  }
+
+  (void) strmov(end,"_deinit");
+  tmp->func_deinit= dlsym(tmp->dlhandle, nm);
+
+  (void) strmov(end,"_init");
+  tmp->func_init= dlsym(tmp->dlhandle, nm);
+
+  /*
+    to prefent loading "udf" from, e.g. libc.so
+    let's ensure that at least one auxiliary symbol is defined
+  */
+  if (!tmp->func_init && !tmp->func_deinit && tmp->type != UDFTYPE_AGGREGATE)
+  {
+    if (opt_allow_suspicious_udfs)
+      sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), nm);
+    else
+      return nm;
   }
+
+  return 0;
 }
 
 extern "C" byte* get_hash_key(const byte *buff,uint *length,
@@ -107,7 +127,7 @@ extern "C" byte* get_hash_key(const byte *buff,uint *length,
 }
 
 /*
-** Read all predeclared functions from func@mysql and accept all that
+** Read all predeclared functions from mysql.func and accept all that
 ** can be used.
 */
 
@@ -149,7 +169,7 @@ void udf_init()
   if (open_and_lock_tables(new_thd, &tables))
   {
     DBUG_PRINT("error",("Can't open udf table"));
-    sql_print_error("Can't open the mysql/func table. Please run the mysql_install_db script to create it.");
+    sql_print_error("Can't open the mysql.func table. Please run the mysql_install_db script to create it.");
     goto end;
   }
 
@@ -165,10 +185,22 @@ void udf_init()
     if (table->fields >= 4)			// New func table
       udftype=(Item_udftype) table->field[3]->val_int();
 
+    /*
+      Ensure that the .dll doesn't have a path
+      This is done to ensure that only approved dll from the system
+      directories are used (to make this even remotely secure).
+    */
+    if (strchr(dl_name, '/') || strlen(name) > NAME_LEN)
+    {
+      sql_print_error("Invalid row in mysql.func table for function '%.64s'",
+                      name);
+      continue;
+    }
+
     if (!(tmp = add_udf(name,(Item_result) table->field[1]->val_int(),
 			dl_name, udftype)))
     {
-      sql_print_error("Can't alloc memory for udf function: name");
+      sql_print_error("Can't alloc memory for udf function: '%.64s'", name);
       continue;
     }
 
@@ -186,13 +218,15 @@ void udf_init()
       new_dl=1;
     }
     tmp->dlhandle = dl;
-    init_syms(tmp);
-    if (!tmp->func)
     {
-      sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), name);
-      del_udf(tmp);
-      if (new_dl)
-	dlclose(dl);
+      char buf[MAX_FIELD_NAME+16], *missing;
+      if ((missing= init_syms(tmp, buf)))
+      {
+        sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing);
+        del_udf(tmp);
+        if (new_dl)
+          dlclose(dl);
+      }
     }
   }
   if (error > 0)
@@ -234,7 +268,7 @@ void udf_free()
   {
     initialized= 0;
     pthread_mutex_destroy(&THR_LOCK_udf);
-  }    
+  }
   DBUG_VOID_RETURN;
 }
 
@@ -398,13 +432,15 @@ int mysql_create_function(THD *thd,udf_func *udf)
     new_dl=1;
   }
   udf->dlhandle=dl;
-  init_syms(udf);
-
-  if (udf->func == NULL)
   {
-    net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, udf->name);
-    goto err;
+    char buf[MAX_FIELD_NAME+16], *missing;
+    if ((missing= init_syms(udf, buf)))
+    {
+      net_printf(&thd->net, ER_CANT_FIND_DL_ENTRY, missing);
+      goto err;
+    }
   }
+
   udf->name=strdup_root(&mem,udf->name);
   udf->dl=strdup_root(&mem,udf->dl);
   if (!(u_d=add_udf(udf->name,udf->returns,udf->dl,udf->type)))
@@ -419,7 +455,7 @@ int mysql_create_function(THD *thd,udf_func *udf)
   u_d->func_reset=udf->func_reset;
   u_d->func_add=udf->func_add;
 
-  /* create entry in mysql/func table */
+  /* create entry in mysql.func table */
 
   bzero((char*) &tables,sizeof(tables));
   tables.db= (char*) "mysql";
@@ -439,7 +475,7 @@ int mysql_create_function(THD *thd,udf_func *udf)
   close_thread_tables(thd);
   if (error)
   {
-    net_printf(&thd->net, ER_ERROR_ON_WRITE, "func@mysql",error);
+    net_printf(&thd->net, ER_ERROR_ON_WRITE, "mysql.func",error);
     del_udf(u_d);
     goto err;
   }
-- 
cgit v1.2.1


From 10a120aed3ffe1f0381242c22dd8cdc4450a382c Mon Sep 17 00:00:00 2001
From: unknown <serg@serg.mylan>
Date: Thu, 3 Mar 2005 23:57:48 +0100
Subject: after merge fixes

---
 sql/sql_udf.cc | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'sql/sql_udf.cc')

diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc
index b28b1cb1f92..05df069d69a 100644
--- a/sql/sql_udf.cc
+++ b/sql/sql_udf.cc
@@ -83,10 +83,10 @@ static char *init_syms(udf_func *tmp, char *nm)
 {
   char *end;
 
-  if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name))))
-    return tmp->name;
+  if (!((tmp->func= dlsym(tmp->dlhandle, tmp->name.str))))
+    return tmp->name.str;
 
-  end=strmov(nm,tmp->name);
+  end=strmov(nm,tmp->name.str);
 
   if (tmp->type == UDFTYPE_AGGREGATE)
   {
@@ -193,10 +193,10 @@ void udf_init()
       This is done to ensure that only approved dll from the system
       directories are used (to make this even remotely secure).
     */
-    if (strchr(dl_name, '/') || strlen(name) > NAME_LEN)
+    if (strchr(dl_name, '/') || name.length > NAME_LEN)
     {
       sql_print_error("Invalid row in mysql.func table for function '%.64s'",
-                      name);
+                      name.str);
       continue;
     }
 
@@ -204,7 +204,7 @@ void udf_init()
     if (!(tmp= add_udf(&name,(Item_result) table->field[1]->val_int(),
                        dl_name, udftype)))
     {
-      sql_print_error("Can't alloc memory for udf function: '%.64s'", name);
+      sql_print_error("Can't alloc memory for udf function: '%.64s'", name.str);
       continue;
     }
 
@@ -271,7 +271,7 @@ void udf_free()
   {
     initialized= 0;
     rwlock_destroy(&THR_LOCK_udf);
-  }    
+  }
   DBUG_VOID_RETURN;
 }
 
-- 
cgit v1.2.1


From 18f16edff75ed64fb8c726a5f912cbaf8a09fe2c Mon Sep 17 00:00:00 2001
From: unknown <paul@frost.snake.net>
Date: Sat, 5 Mar 2005 12:42:05 -0600
Subject: sql_udf.cc:   Comment changes: use standard style; fix grammar.

sql/sql_udf.cc:
  Comment changes: use standard style; fix grammar.
---
 sql/sql_udf.cc | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'sql/sql_udf.cc')

diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc
index c7c0bf2034f..1d14d037c47 100644
--- a/sql/sql_udf.cc
+++ b/sql/sql_udf.cc
@@ -17,15 +17,15 @@
 /* This implements 'user defined functions' */
 
 /*
-** Known bugs:
-**
-** Memory for functions are never freed!
-** Shared libraries are not closed before mysqld exists;
-**   - This is because we can't be sure if some threads is using
-**     a functions.
-**
-** The buggs only affects applications that creates and frees a lot of
-** dynamic functions, so this shouldn't be a real problem.
+   Known bugs:
+  
+   Memory for functions is never freed!
+   Shared libraries are not closed before mysqld exits;
+     - This is because we can't be sure if some threads are using
+       a function.
+  
+   The bugs only affect applications that create and free a lot of
+   dynamic functions, so this shouldn't be a real problem.
 */
 
 #ifdef __GNUC__
-- 
cgit v1.2.1