database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Bug#18628 mysql-test-run: security problem(part1)

Browse Source 
- Implement --secure-file-priv=<dir> option that limits
  "load_file", "LOAD DATA" and "SELECT .. INTO OUTFILE" to work 
  with files in specified dir.
 - Use above option for mysqld in mysql-test-run.pl
This commit is contained in:
msvensson@pilot.mysql.com
2007-02-14 14:44:34 +01:00
parent d1a7949297
commit 45fe5879f4
17 changed files with 135 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
sql/sql_class.cc
View File

@ -1084,7 +1084,7 @@ static File create_file(THD *thd, char *path, sql_exchange *exchange,
IO_CACHE *cache)
{
File file;
uint option= MY_UNPACK_FILENAME;
uint option= MY_UNPACK_FILENAME | MY_RELATIVE_PATH;
#ifdef DONT_ALLOW_FULL_LOAD_DATA_PATHS
option|= MY_REPLACE_DIR; // Force use of db directory
@ -1097,7 +1097,15 @@ static File create_file(THD *thd, char *path, sql_exchange *exchange,
}
else
(void) fn_format(path, exchange->file_name, mysql_real_data_home, "", option);
if (opt_secure_file_priv &&
strncmp(opt_secure_file_priv, path, strlen(opt_secure_file_priv)))
{
/* Write only allowed to dir or subdir specified by secure_file_priv */
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--secure-file-priv");
return -1;
}
if (!access(path, F_OK))
{
my_error(ER_FILE_EXISTS_ERROR, MYF(0), exchange->file_name);