From e4b7138561d567041dbb2aa8ed366e3c3d31d58b Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Tue, 2 Feb 2010 18:37:56 +0200 Subject: [PATCH 1/5] Bug #49445: Assertion failed: 0, file .\item_row.cc, line 55 with fulltext search and row op. The search for fulltext indexes is searching for some special predicate layouts. While doing so it's not checking for the number of columns of the expressions it tries to calculate. And since row expressions can't return a single scalar value there was a crash. Fixed by checking if the expressions are scalar (in addition to being constant) before calling Item::val_xxx() methods. --- mysql-test/r/fulltext.result | 8 ++++++++ mysql-test/t/fulltext.test | 10 ++++++++++ sql/sql_select.cc | 24 ++++++++++++------------ 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/mysql-test/r/fulltext.result b/mysql-test/r/fulltext.result index 1ef6656e7a4..f65823518d4 100644 --- a/mysql-test/r/fulltext.result +++ b/mysql-test/r/fulltext.result @@ -603,4 +603,12 @@ WHERE t3.a=t1.a AND MATCH(b2) AGAINST('scargill' IN BOOLEAN MODE) count(*) 0 DROP TABLE t1,t2,t3; +# +# Bug #49445: Assertion failed: 0, file .\item_row.cc, line 55 with +# fulltext search and row op +# +CREATE TABLE t1(a CHAR(1),FULLTEXT(a)); +SELECT 1 FROM t1 WHERE MATCH(a) AGAINST ('') AND ROW(a,a) > ROW(1,1); +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/fulltext.test b/mysql-test/t/fulltext.test index 3853a224fd5..57a90483ea9 100644 --- a/mysql-test/t/fulltext.test +++ b/mysql-test/t/fulltext.test @@ -545,4 +545,14 @@ SELECT count(*) FROM t1 WHERE DROP TABLE t1,t2,t3; +--echo # +--echo # Bug #49445: Assertion failed: 0, file .\item_row.cc, line 55 with +--echo # fulltext search and row op +--echo # + +CREATE TABLE t1(a CHAR(1),FULLTEXT(a)); +SELECT 1 FROM t1 WHERE MATCH(a) AGAINST ('') AND ROW(a,a) > ROW(1,1); +DROP TABLE t1; + + --echo End of 5.1 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 0e36d35289f..da85ca27339 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -3650,20 +3650,20 @@ add_ft_keys(DYNAMIC_ARRAY *keyuse_array, cond_func=(Item_func_match *)cond; else if (func->arg_count == 2) { - Item_func *arg0=(Item_func *)(func->arguments()[0]), - *arg1=(Item_func *)(func->arguments()[1]); - if (arg1->const_item() && + Item *arg0= func->arguments()[0], + *arg1= func->arguments()[1]; + if (arg1->const_item() && arg1->cols() == 1 && ((functype == Item_func::GE_FUNC && arg1->val_real() > 0) || - (functype == Item_func::GT_FUNC && arg1->val_real() >=0)) && - arg0->type() == Item::FUNC_ITEM && - arg0->functype() == Item_func::FT_FUNC) - cond_func=(Item_func_match *) arg0; - else if (arg0->const_item() && + (functype == Item_func::GT_FUNC && arg1->val_real() >= 0)) && + arg0->type() == Item::FUNC_ITEM && + ((Item_func *) arg0)->functype() == Item_func::FT_FUNC) + cond_func= (Item_func_match *) arg0; + else if (arg0->const_item() && arg0->cols() == 1 && ((functype == Item_func::LE_FUNC && arg0->val_real() > 0) || - (functype == Item_func::LT_FUNC && arg0->val_real() >=0)) && - arg1->type() == Item::FUNC_ITEM && - arg1->functype() == Item_func::FT_FUNC) - cond_func=(Item_func_match *) arg1; + (functype == Item_func::LT_FUNC && arg0->val_real() >= 0)) && + arg1->type() == Item::FUNC_ITEM && + ((Item_func *) arg1)->functype() == Item_func::FT_FUNC) + cond_func= (Item_func_match *) arg1; } } else if (cond->type() == Item::COND_ITEM) From 679de2bb5eb36c900c0f9db189283e73ab4acbcc Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Thu, 21 Jan 2010 17:14:10 +0200 Subject: [PATCH 2/5] Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES check_access() returning false for a database does not guarantee that the access is granted to it. This wrong condition in filling the INFORMATION_SCHEMA tables causes extra tables to be returned to the user even if he has no rights to see them. Fixed by correcting the condition. --- mysql-test/r/information_schema.result | 22 +++++++++++++++++++++ mysql-test/t/information_schema.test | 27 ++++++++++++++++++++++++++ sql/sql_show.cc | 8 ++++---- 3 files changed, 53 insertions(+), 4 deletions(-) diff --git a/mysql-test/r/information_schema.result b/mysql-test/r/information_schema.result index 9a75e478264..4ed7e4e700b 100644 --- a/mysql-test/r/information_schema.result +++ b/mysql-test/r/information_schema.result @@ -1725,4 +1725,26 @@ SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0; TEST_RESULT OK SET TIMESTAMP=DEFAULT; +# +# Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES +# +CREATE DATABASE db1; +USE db1; +CREATE TABLE t1 (id INT); +CREATE USER nonpriv; +USE test; +# connected as nonpriv +# Should return 0 +SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1'; +COUNT(*) +0 +USE INFORMATION_SCHEMA; +# Should return 0 +SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1'; +COUNT(*) +0 +# connected as root +DROP USER nonpriv; +DROP TABLE db1.t1; +DROP DATABASE db1; End of 5.1 tests. diff --git a/mysql-test/t/information_schema.test b/mysql-test/t/information_schema.test index 392d1062492..f3ce3d87252 100644 --- a/mysql-test/t/information_schema.test +++ b/mysql-test/t/information_schema.test @@ -1419,6 +1419,33 @@ SET TIMESTAMP=@@TIMESTAMP + 10000000; SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0; SET TIMESTAMP=DEFAULT; + +--echo # +--echo # Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES +--echo # +CREATE DATABASE db1; +USE db1; +CREATE TABLE t1 (id INT); +CREATE USER nonpriv; +USE test; + +connect (nonpriv_con, localhost, nonpriv,,); +connection nonpriv_con; +--echo # connected as nonpriv +--echo # Should return 0 +SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1'; +USE INFORMATION_SCHEMA; +--echo # Should return 0 +SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1'; + +connection default; +--echo # connected as root +disconnect nonpriv_con; +DROP USER nonpriv; +DROP TABLE db1.t1; +DROP DATABASE db1; + + --echo End of 5.1 tests. # Wait till all disconnects are completed diff --git a/sql/sql_show.cc b/sql/sql_show.cc index 5ec40d4893c..989606300d8 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -3367,11 +3367,11 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond) while ((db_name= it++)) { #ifndef NO_EMBEDDED_ACCESS_CHECKS - if (!check_access(thd,SELECT_ACL, db_name->str, - &thd->col_access, 0, 1, with_i_schema) || + if (!(check_access(thd,SELECT_ACL, db_name->str, + &thd->col_access, 0, 1, with_i_schema) || + (!thd->col_access && check_grant_db(thd, db_name->str))) || sctx->master_access & (DB_ACLS | SHOW_DB_ACL) || - acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) || - !check_grant_db(thd, db_name->str)) + acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0)) #endif { thd->no_warnings_for_error= 1; From 56b911f893594004c2da92c9a77b2f122fe317d9 Mon Sep 17 00:00:00 2001 From: Luis Soares Date: Tue, 2 Feb 2010 15:16:47 +0000 Subject: [PATCH 3/5] BUG#47639: The rpl_binlog_corruption test fails on Windows The test case rpl_binlog_corruption fails on windows because when adding a line to the binary log index file it gets terminated with a CR+LF (which btw, is the normal case in windows, but not on Unixes - LF). This causes mismatch between the relay log names, causing mysqld to report that it cannot find the log file. We fix this by creating the instrumented index file through mysql, ie, using SELECT ... INTO DUMPFILE ..., as opposed on relying on ultimatly OS commands like: -- echo "..." > index. These changes go into the file and make the procedure platform independent: include/setup_fake_relay_log.inc Side note: when using SELECT ... INTO DUMPFILE ..., one needs to check if mysqld is running with secure_file_priv. If it is, we do it in two steps: 1. create the file on the allowed location; 2. move it to the datadir. If it is not, then we just create the file directly on the datadir (so previous step 2. is not needed). --- mysql-test/include/setup_fake_relay_log.inc | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/mysql-test/include/setup_fake_relay_log.inc b/mysql-test/include/setup_fake_relay_log.inc index f88806e1079..5b9e7f72fdd 100644 --- a/mysql-test/include/setup_fake_relay_log.inc +++ b/mysql-test/include/setup_fake_relay_log.inc @@ -69,7 +69,22 @@ let $_fake_relay_log_purge= `SELECT @@global.relay_log_purge`; # Create relay log file. copy_file $fake_relay_log $_fake_relay_log; # Create relay log index. ---exec echo $_fake_filename-fake.000001 > $_fake_relay_index + +if (`SELECT LENGTH(@@secure_file_priv) > 0`) +{ + -- let $_file_priv_dir= `SELECT @@secure_file_priv`; + -- let $_suffix= `SELECT UUID()` + -- let $_tmp_file= $_file_priv_dir/fake-index.$_suffix + + -- eval select '$_fake_filename-fake.000001\n' into dumpfile '$_tmp_file' + -- copy_file $_tmp_file $_fake_relay_index + -- remove_file $_tmp_file +} + +if (`SELECT LENGTH(@@secure_file_priv) = 0`) +{ + -- eval select '$_fake_filename-fake.000001\n' into dumpfile '$_fake_relay_index' +} # Setup replication from existing relay log. eval CHANGE MASTER TO MASTER_HOST='dummy.localdomain', RELAY_LOG_FILE='$_fake_filename-fake.000001', RELAY_LOG_POS=4; From 673ec7b24d1e4c8806d964ef262f39fadc84da70 Mon Sep 17 00:00:00 2001 From: Kent Boortz Date: Tue, 2 Feb 2010 23:29:14 +0100 Subject: [PATCH 4/5] Changes to be able to create source TAR packages with longer path names than 99 characters, using the USTAR format of the resulting source TAR. To be able to specify the use of USTAR when creating the source TAR, we needed both to update the GNU autotools version requirements slightly, and update the initiation of the tools to use more modern constructs. --- configure.in | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/configure.in b/configure.in index 38eb511ac18..eeb1da8670a 100644 --- a/configure.in +++ b/configure.in @@ -1,17 +1,23 @@ dnl -*- ksh -*- dnl Process this file with autoconf to produce a configure script. -AC_PREREQ(2.52)dnl Minimum Autoconf version required. +# Minimum Autoconf version required. +AC_PREREQ(2.59) -AC_INIT(sql/mysqld.cc) -AC_CANONICAL_SYSTEM -# The Docs Makefile.am parses this line! -# remember to also update version.c in ndb -# +# Remember to also update version.c in ndb. # When changing major version number please also check switch statement # in mysqlbinlog::check_master_version(). -AM_INIT_AUTOMAKE(mysql, 5.1.43) -AM_CONFIG_HEADER([include/config.h:config.h.in]) +AC_INIT([MySQL Server], [5.1.43], [], [mysql]) +AC_CONFIG_SRCDIR([sql/mysqld.cc]) +AC_CANONICAL_SYSTEM +# USTAR format gives us the possibility to store longer path names in +# TAR files, the path name is split into two parts, a 155 chacater +# first part and a 100 character second part. +AM_INIT_AUTOMAKE([1.9 tar-ustar]) +LT_INIT +LT_PREREQ([1.5.6]) + +AM_CONFIG_HEADER([include/config.h]) # Request support for automake silent-rules if available. # Default to verbose output. One can use the configure-time From 0a90bfe6c019fd1dc3db3090de969077ac311fb5 Mon Sep 17 00:00:00 2001 From: Kent Boortz Date: Wed, 3 Feb 2010 14:52:11 +0100 Subject: [PATCH 5/5] Adjuster the parsing of "configure.in" version number line --- win/configure.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/win/configure.js b/win/configure.js index fc5c548c983..38fa8e7afeb 100644 --- a/win/configure.js +++ b/win/configure.js @@ -140,11 +140,11 @@ function GetValue(str, key) function GetVersion(str) { - var key = "AM_INIT_AUTOMAKE(mysql, "; - var pos = str.indexOf(key); //5.0.6-beta) + var key = "AC_INIT([MySQL Server], ["; + var pos = str.indexOf(key); if (pos == -1) return null; pos += key.length; - var end = str.indexOf(")", pos); + var end = str.indexOf("]", pos); if (end == -1) return null; return str.substring(pos, end); }