Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(ver 4.1,5.0)

added new function test_if_data_home_dir() which checks that path does not contain mysql data home directory. Using of mysql data home directory in DATA DIRECTORY & INDEX DIRECTORY is disallowed. mysql-test/r/symlink.result: test result mysql-test/t/symlink.test: test case sql/mysql_priv.h: new variable mysql_unpacked_real_data_home sql/mysqld.cc: new variable mysql_unpacked_real_data_home sql/sql_parse.cc: added new function test_if_data_home_dir() which checks that path does not contain mysql data home directory. Using of mysql data home directory in DATA DIRECTORY & INDEX DIRECTORY is disallowed.
2025-07-27 18:02:13 +03:00 · 2008-02-29 13:55:00 +04:00
parent f364c09901
commit ab60425901
5 changed files with 117 additions and 39 deletions
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -65,7 +65,8 @@ static bool append_file_to_dir(THD *thd, const char **filename_ptr,
 			       const char *table_name);
             
 static TABLE_LIST* get_table_by_alias(TABLE_LIST* tl, const char* db,
-  const char* alias);      
+  const char* alias);
+static bool test_if_data_home_dir(const char *dir);

 const char *any_db="*any*";	// Special symbol for check_access

@ -2531,6 +2532,20 @@ mysql_execute_command(THD *thd)
                   "INDEX DIRECTORY option ignored");
    create_info.data_file_name= create_info.index_file_name= NULL;
 #else
+
+    if (test_if_data_home_dir(lex->create_info.data_file_name))
+    {
+      my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY");
+      res= -1;
+      break;
+    }
+    if (test_if_data_home_dir(lex->create_info.index_file_name))
+    {
+      my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY");
+      res= -1;
+      break;
+    }
+
    /* Fix names if symlinked tables */
    if (append_file_to_dir(thd, &create_info.data_file_name,
 			   create_table->real_name) ||
@ -5920,3 +5935,47 @@ Item *negate_expression(THD *thd, Item *expr)
    return negated;
  return new Item_func_not(expr);
 }
+
+
+/*
+  Check if path does not contain mysql data home directory
+
+  SYNOPSIS
+    test_if_data_home_dir()
+    dir                     directory
+    conv_home_dir           converted data home directory
+    home_dir_len            converted data home directory length
+
+  RETURN VALUES
+    0	ok
+    1	error  
+*/
+
+static bool test_if_data_home_dir(const char *dir)
+{
+  char path[FN_REFLEN], conv_path[FN_REFLEN];
+  uint dir_len, home_dir_len= strlen(mysql_unpacked_real_data_home);
+  DBUG_ENTER("test_if_data_home_dir");
+
+  if (!dir)
+    DBUG_RETURN(0);
+
+  (void) fn_format(path, dir, "", "",
+                   (MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
+  dir_len= unpack_dirname(conv_path, dir);
+
+  if (home_dir_len <= dir_len)
+  {
+    if (lower_case_file_system)
+    {
+      if (!my_strnncoll(default_charset_info, (const uchar*) conv_path,
+                        home_dir_len,
+                        (const uchar*) mysql_unpacked_real_data_home,
+                        home_dir_len))
+        DBUG_RETURN(1);
+    }
+    else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len))
+      DBUG_RETURN(1);
+  }
+  DBUG_RETURN(0);
+}