From 2c79b75831fc1d2a95c8b6259486044d078e2607 Mon Sep 17 00:00:00 2001 From: unknown Date: Sun, 9 May 2010 21:30:06 +0200 Subject: Cherry-pick fix for Bug#53371, security hole with bypassing grants using special path in db/table names. Bump MariaDB version for security fix release. --- sql/table.cc | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'sql/table.cc') diff --git a/sql/table.cc b/sql/table.cc index 733aa3e6887..8c87dc73d7d 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -494,6 +494,19 @@ inline bool is_system_table_name(const char *name, uint length) } +/** + Check if a string contains path elements +*/ + +static inline bool has_disabled_path_chars(const char *str) +{ + for (; *str; str++) + if (*str == FN_EXTCHAR || *str == '/' || *str == '\\' || *str == '~' || *str == '@') + return TRUE; + return FALSE; +} + + /* Read table definition from a binary / text based .frm file @@ -548,7 +561,8 @@ int open_table_def(THD *thd, TABLE_SHARE *share, uint db_flags) This kind of tables must have been opened only by the my_open() above. */ - if (strchr(share->table_name.str, '@') || + if (has_disabled_path_chars(share->table_name.str) || + has_disabled_path_chars(share->db.str) || !strncmp(share->db.str, MYSQL50_TABLE_NAME_PREFIX, MYSQL50_TABLE_NAME_PREFIX_LENGTH) || !strncmp(share->table_name.str, MYSQL50_TABLE_NAME_PREFIX, @@ -2718,7 +2732,6 @@ bool check_db_name(LEX_STRING *org_name) (name_length > NAME_CHAR_LEN)); /* purecov: inspected */ } - /* Allow anything as a table name, as long as it doesn't contain an ' ' at the end @@ -2726,7 +2739,7 @@ bool check_db_name(LEX_STRING *org_name) */ -bool check_table_name(const char *name, uint length) +bool check_table_name(const char *name, uint length, bool check_for_path_chars) { uint name_length= 0; // name length in symbols const char *end= name+length; @@ -2753,6 +2766,9 @@ bool check_table_name(const char *name, uint length) continue; } } + if (check_for_path_chars && + (*name == '/' || *name == '\\' || *name == '~' || *name == FN_EXTCHAR)) + return 1; #endif name++; name_length++; -- cgit v1.2.1