database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-06-12 01:53:02 +03:00
Code Activity

Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.

Browse Source 
test_if_data_home_dir fixed to look into real path.
            Checks added to mi_open for symlinks into data home directory.

per-file messages:
        include/my_sys.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          my_is_symlink interface added
        include/myisam.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          myisam_test_invalid_symlink interface added
        myisam/mi_check.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          mi_open_datafile calls modified
        myisam/mi_open.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          code added to mi_open to check for symlinks into data home directory.
          mi_open_datafile now accepts 'original' file path to check if it's
          an allowed symlink.
        myisam/mi_static.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          myisam_test_invlaid_symlink defined
        myisam/myisamchk.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          mi_open_datafile call modified
        myisam/myisamdef.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          mi_open_datafile interface modified - 'real_path' parameter added
        mysql-test/r/symlink.test
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          error codes corrected as some patch now rejected pointing inside datahome
        mysql-test/r/symlink.result
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          error messages corrected in the result
        mysys/my_symlink.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          my_is_symlink() implementsd
          my_realpath() now returns the 'realpath' even if a file isn't a symlink
        sql/mysql_priv.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          test_if_data_home_dir interface
        sql/mysqld.cc
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          myisam_test_invalid_symlik set with the 'test_if_data_home_dir'
        sql/sql_parse.cc
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          error messages corrected
          test_if_data_home_dir code fixed
This commit is contained in:
Alexey Botchkov
2008-08-22 17:31:53 +05:00
parent de73b72954
commit ec524d50a8
12 changed files with 112 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
sql/sql_parse.cc
View File

@ -76,7 +76,6 @@ static void remove_escape(char *name);
static bool append_file_to_dir(THD *thd, const char **filename_ptr,
const char *table_name);
static bool check_show_create_table_access(THD *thd, TABLE_LIST *table);
static bool test_if_data_home_dir(const char *dir);
const char *any_db="*any*"; // Special symbol for check_access
@ -3044,13 +3043,13 @@ mysql_execute_command(THD *thd)
if (test_if_data_home_dir(lex->create_info.data_file_name))
{
my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECORY");
my_error(ER_WRONG_ARGUMENTS,MYF(0),"DATA DIRECTORY");
res= -1;
break;
}
if (test_if_data_home_dir(lex->create_info.index_file_name))
{
my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECORY");
my_error(ER_WRONG_ARGUMENTS,MYF(0),"INDEX DIRECTORY");
res= -1;
break;
}
@ -7946,10 +7945,12 @@ bool check_string_length(LEX_STRING *str, const char *err_msg,
1 error
*/
static bool test_if_data_home_dir(const char *dir)
C_MODE_START
int test_if_data_home_dir(const char *dir)
{
char path[FN_REFLEN], conv_path[FN_REFLEN];
uint dir_len, home_dir_len= strlen(mysql_unpacked_real_data_home);
char path[FN_REFLEN];
uint dir_len;
DBUG_ENTER("test_if_data_home_dir");
if (!dir)
@ -7957,21 +7958,27 @@ static bool test_if_data_home_dir(const char *dir)
(void) fn_format(path, dir, "", "",
(MY_RETURN_REAL_PATH|MY_RESOLVE_SYMLINKS));
dir_len= unpack_dirname(conv_path, dir);
if (home_dir_len <= dir_len)
dir_len= strlen(path);
if (mysql_unpacked_real_data_home_len<= dir_len)
{
if (dir_len > mysql_unpacked_real_data_home_len &&
path[mysql_unpacked_real_data_home_len] != FN_LIBCHAR)
DBUG_RETURN(0);
if (lower_case_file_system)
{
if (!my_strnncoll(default_charset_info, (const uchar*) conv_path,
home_dir_len,
if (!my_strnncoll(default_charset_info, (const uchar*) path,
mysql_unpacked_real_data_home_len,
(const uchar*) mysql_unpacked_real_data_home,
home_dir_len))
mysql_unpacked_real_data_home_len))
DBUG_RETURN(1);
}
else if (!memcmp(conv_path, mysql_unpacked_real_data_home, home_dir_len))
else if (!memcmp(path, mysql_unpacked_real_data_home,
mysql_unpacked_real_data_home_len))
DBUG_RETURN(1);
}
DBUG_RETURN(0);
}
C_MODE_END