database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave

Browse Source 
/*![:version:] Query Code */, where [:version:] is a sequence of 5 
digits representing the mysql server version(e.g /*!50200 ... */),
is a special comment that the query in it can be executed on those 
servers whose versions are larger than the version appearing in the 
comment. It leads to a security issue when slave's version is larger 
than master's. A malicious user can improve his privileges on slaves. 
Because slave SQL thread is running with SUPER privileges, so it can
execute queries that he/she does not have privileges on master.

This bug is fixed with the logic below: 
- To replace '!' with ' ' in the magic comments which are not applied on
  master. So they become common comments and will not be applied on slave.

- Example:
  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
  will be binlogged as
  'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/

mysql-test/suite/rpl/t/rpl_conditional_comments.test:
  Test the patch for this bug.
sql/mysql_priv.h:
  Rename inBuf as rawBuf and remove the const limitation.
sql/sql_lex.cc:
  To replace '!' with ' ' in the magic comments which are not applied on
  master.
sql/sql_lex.h:
  Remove the const limitation on parameter buff, as it can be modified in the function since
  this patch.
  Add member function yyUnput for Lex_input_stream. It set a character back the query buff.
sql/sql_parse.cc:
  Rename inBuf as rawBuf and remove the const limitation.
sql/sql_partition.cc:
  Remove the const limitation on parameter part_buff, as it can be modified in the function since
  this patch.
sql/sql_partition.h:
  Remove the const limitation on parameter part_buff, as it can be modified in the function since
  this patch.
sql/table.h:
  Remove the const limitation on variable partition_info, as it can be modified since
  this patch.
This commit is contained in:
unknown
2010-07-29 11:00:57 +08:00
parent 2529ee72ec
commit 2124538d9c
9 changed files with 173 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sql/sql_partition.h
View File

@ -78,7 +78,7 @@ void get_full_part_id_from_key(const TABLE *table, uchar *buf,
KEY *key_info,
const key_range *key_spec,
part_id_range *part_spec);
bool mysql_unpack_partition(THD *thd, const char *part_buf,
bool mysql_unpack_partition(THD *thd, char *part_buf,
uint part_info_len,
const char *part_state, uint part_state_len,
TABLE *table, bool is_create_table_ind,