database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-09-02 09:41:40 +03:00
Code Activity

BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave

Browse Source 
Backport to 5.0.

/*![:version:] Query Code */, where [:version:] is a sequence of 5 
digits representing the mysql server version(e.g /*!50200 ... */),
is a special comment that the query in it can be executed on those 
servers whose versions are larger than the version appearing in the 
comment. It leads to a security issue when slave's version is larger 
than master's. A malicious user can improve his privileges on slaves. 
Because slave SQL thread is running with SUPER privileges, so it can
execute queries that he/she does not have privileges on master.
      
This bug is fixed with the logic below: 
- To replace '!' with ' ' in the magic comments which are not applied on
  master. So they become common comments and will not be applied on slave.
      
- Example:
  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
   will be binlogged as
  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
This commit is contained in:
unknown
2011-01-15 13:48:16 +08:00
parent f949ac55f7
commit 12c6d1f355
6 changed files with 163 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
sql/sql_parse.cc
View File

@@ -6414,13 +6414,13 @@ void mysql_init_multi_delete(LEX *lex)
/**
Parse a query.
@param thd Current thread
@param inBuf Begining of the query text
@param rawbuf Begining of the query text
@param length Length of the query text
@param [out] semicolon For multi queries, position of the character of
the next query in the query text.
*/
void mysql_parse(THD *thd, const char *inBuf, uint length,
void mysql_parse(THD *thd, char *rawbuf, uint length,
const char ** found_semicolon)
{
DBUG_ENTER("mysql_parse");
@@ -6446,14 +6446,14 @@ void mysql_parse(THD *thd, const char *inBuf, uint length,
lex_start(thd);
mysql_reset_thd_for_next_command(thd);
if (query_cache_send_result_to_client(thd, (char*) inBuf, length) <= 0)
if (query_cache_send_result_to_client(thd, rawbuf, length) <= 0)
{
LEX *lex= thd->lex;
sp_cache_flush_obsolete(&thd->sp_proc_cache);
sp_cache_flush_obsolete(&thd->sp_func_cache);
Parser_state parser_state(thd, inBuf, length);
Parser_state parser_state(thd, rawbuf, length);
thd->m_parser_state= &parser_state;
int err= MYSQLparse(thd);
@@ -6538,13 +6538,13 @@ void mysql_parse(THD *thd, const char *inBuf, uint length,
1 can be ignored
*/
bool mysql_test_parse_for_slave(THD *thd, char *inBuf, uint length)
bool mysql_test_parse_for_slave(THD *thd, char *rawbuf, uint length)
{
LEX *lex= thd->lex;
bool error= 0;
DBUG_ENTER("mysql_test_parse_for_slave");
Parser_state parser_state(thd, inBuf, length);
Parser_state parser_state(thd, rawbuf, length);
thd->m_parser_state= &parser_state;
lex_start(thd);