Bug#26372491 - RCE THROUGH THE MISHANDLE OF BACKSLASH

DESCRIPTION: =========== The bug is related to incorrect parsing of SQL queries when typed in on the CLI. The incorrect parsing can result in unexpected results. ANALYSIS: ======== The scenarios mainly happens for identifier names with a typical combination of backslashes and backticks. The incorrect parsing can either result in executing additional queries or can result in query truncation. This can impact mysqldump as well. FIX: === The fix makes sure that such identifier names are correctly parsed and a proper query is sent to the server for execution.
2025-08-07 00:04:31 +03:00 · 2017-09-08 18:29:07 +05:30
parent 14176f7147
commit 43632f4cd5
1 changed files with 4 additions and 1 deletions
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -2119,7 +2119,10 @@ static bool add_line(String &buffer,char *line,char *in_string,
      if (*in_string || inchar == 'N')	// \N is short for NULL
      {					// Don't allow commands in string
 	*out++='\\';
-	*out++= (char) inchar;
+        if ((inchar == '`') && (*in_string == inchar))
+          pos--;
+        else
+	  *out++= (char) inchar;
 	continue;
      }
      if ((com=find_command(NullS,(char) inchar)))