database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.

Browse Source 
This is the 5.1 merge and extension of the fix.
The server was happily accepting paths in table name in all places a table
name is accepted (e.g. a SELECT). This allowed all users that have some 
privilege over some database to read all tables in all databases in all
mysql server instances that the server file system has access to.
Fixed by :
1. making sure no path elements are allowed in quoted table name when
constructing the path (note that the path symbols are still valid in table names
when they're properly escaped by the server).
2. checking the #mysql50# prefixed names the same way they're checked for
path elements in mysql-5.0.
This commit is contained in:
Georgi Kodinov
2010-05-04 17:03:28 +03:00
parent 83fb8a7770 6ae9c70109
commit 0f26a0533b
9 changed files with 138 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
tests/mysql_client_test.c
View File

@ -18049,6 +18049,50 @@ static void test_bug44495()
DBUG_VOID_RETURN;
}
static void test_bug53371()
{
int rc;
MYSQL_RES *result;
myheader("test_bug53371");
rc= mysql_query(mysql, "DROP TABLE IF EXISTS t1");
myquery(rc);
rc= mysql_query(mysql, "DROP DATABASE IF EXISTS bug53371");
myquery(rc);
rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
rc= mysql_query(mysql, "CREATE TABLE t1 (a INT)");
myquery(rc);
rc= mysql_query(mysql, "CREATE DATABASE bug53371");
myquery(rc);
rc= mysql_query(mysql, "GRANT SELECT ON bug53371.* to 'testbug'@localhost");
myquery(rc);
rc= mysql_change_user(mysql, "testbug", NULL, "bug53371");
myquery(rc);
rc= mysql_query(mysql, "SHOW COLUMNS FROM client_test_db.t1");
DIE_UNLESS(rc);
DIE_UNLESS(mysql_errno(mysql) == 1142);
result= mysql_list_fields(mysql, "../client_test_db/t1", NULL);
DIE_IF(result);
result= mysql_list_fields(mysql, "#mysql50#/../client_test_db/t1", NULL);
DIE_IF(result);
rc= mysql_change_user(mysql, opt_user, opt_password, current_db);
myquery(rc);
rc= mysql_query(mysql, "DROP TABLE t1");
myquery(rc);
rc= mysql_query(mysql, "DROP DATABASE bug53371");
myquery(rc);
rc= mysql_query(mysql, "DROP USER 'testbug'@localhost");
myquery(rc);
}
/*
Read and parse arguments and MySQL options from my.cnf
*/
@ -18358,6 +18402,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug30472", test_bug30472 },
{ "test_bug20023", test_bug20023 },
{ "test_bug45010", test_bug45010 },
{ "test_bug53371", test_bug53371 },
{ "test_bug31418", test_bug31418 },
{ "test_bug31669", test_bug31669 },
{ "test_bug28386", test_bug28386 },