cleanup: normalize LEX_USER to get rid of different representation of the same thing

username IDENTIFIED BY PASSWORD xxx username IDENTIFIED VIA mysql_native_password USING xxx etc also check for valid strlen(xxx)
2025-07-30 16:24:05 +03:00 · 2014-11-23 20:30:56 +01:00
parent c1204da1c7
commit f5722f5851
5 changed files with 119 additions and 5 deletions
--- a/mysql-test/r/connect.result
+++ b/mysql-test/r/connect.result
@ -273,8 +273,8 @@ connect(localhost,mysqltest_nouser,newpw,test,MASTER_PORT,MASTER_SOCKET);
 ERROR 28000: Access denied for user 'mysqltest_nouser'@'localhost' (using password: YES)
 connect(localhost,mysqltest_nouser,,test,MASTER_PORT,MASTER_SOCKET);
 ERROR 28000: Access denied for user 'mysqltest_nouser'@'localhost' (using password: NO)
-update mysql.user set password=authentication_string, authentication_string=''
-                  where user like 'mysqltest_up_';
+update mysql.user set plugin='mysql_native_password' where user = 'mysqltest_up1';
+update mysql.user set plugin='mysql_old_password' where user = 'mysqltest_up2';
 select user, password, plugin, authentication_string from mysql.user
 where user like 'mysqltest_up_';
 user	password	plugin	authentication_string
--- a/mysql-test/r/grant4.result
+++ b/mysql-test/r/grant4.result
@ -178,3 +178,37 @@ mysqltest_db1.t1	repair	status	OK
 # Switching to connection 'default'.
 drop database mysqltest_db1;
 drop user mysqltest_u1@localhost;
+create user foo1 identified by password '11111111111111111111111111111111111111111';
+create user foo2 identified by password '2222222222222222';
+create user foo3 identified via mysql_native_password using '11111111111111111111111111111111111111111';
+create user foo4 identified via mysql_old_password using '2222222222222222';
+grant select on test.* to foo5 identified by password '11111111111111111111111111111111111111111';
+grant select on test.* to foo6 identified by password '2222222222222222';
+grant select on test.* to foo7 identified via mysql_native_password using '11111111111111111111111111111111111111111';
+grant select on test.* to foo8 identified via mysql_old_password using '2222222222222222';
+select user,password,plugin,authentication_string from mysql.user where user like 'foo%';
+user	password	plugin	authentication_string
+foo1	11111111111111111111111111111111111111111		
+foo2	2222222222222222		
+foo3	11111111111111111111111111111111111111111		
+foo4	2222222222222222		
+foo5	11111111111111111111111111111111111111111		
+foo6	2222222222222222		
+foo7	11111111111111111111111111111111111111111		
+foo8	2222222222222222		
+drop user foo1;
+drop user foo2;
+drop user foo3;
+drop user foo4;
+drop user foo5;
+drop user foo6;
+drop user foo7;
+drop user foo8;
+create user foo1 identified via mysql_native_password using '00';
+ERROR HY000: Password hash should be a 41-digit hexadecimal number
+create user foo2 identified via mysql_native_password using '2222222222222222';
+ERROR HY000: Password hash should be a 41-digit hexadecimal number
+create user foo3 identified via mysql_old_password using '00';
+ERROR HY000: Password hash should be a 16-digit hexadecimal number
+create user foo4 identified via mysql_old_password using '11111111111111111111111111111111111111111';
+ERROR HY000: Password hash should be a 16-digit hexadecimal number
--- a/mysql-test/t/connect.test
+++ b/mysql-test/t/connect.test
@ -397,8 +397,8 @@ connection default;
 #
 # cannot connect when password is set and plugin=mysql_native_password
 #
-update mysql.user set password=authentication_string, authentication_string=''
-                  where user like 'mysqltest_up_';
+update mysql.user set plugin='mysql_native_password' where user = 'mysqltest_up1';
+update mysql.user set plugin='mysql_old_password' where user = 'mysqltest_up2';
 select user, password, plugin, authentication_string from mysql.user
                  where user like 'mysqltest_up_';
 flush privileges;                  
--- a/mysql-test/t/grant4.test
+++ b/mysql-test/t/grant4.test
@ -201,3 +201,34 @@ disconnect con1;
 connection default;
 drop database mysqltest_db1;
 drop user mysqltest_u1@localhost;
+
+create user foo1 identified by password '11111111111111111111111111111111111111111';
+create user foo2 identified by password '2222222222222222';
+create user foo3 identified via mysql_native_password using '11111111111111111111111111111111111111111';
+create user foo4 identified via mysql_old_password using '2222222222222222';
+
+grant select on test.* to foo5 identified by password '11111111111111111111111111111111111111111';
+grant select on test.* to foo6 identified by password '2222222222222222';
+grant select on test.* to foo7 identified via mysql_native_password using '11111111111111111111111111111111111111111';
+grant select on test.* to foo8 identified via mysql_old_password using '2222222222222222';
+
+--sorted_result
+select user,password,plugin,authentication_string from mysql.user where user like 'foo%';
+
+drop user foo1;
+drop user foo2;
+drop user foo3;
+drop user foo4;
+drop user foo5;
+drop user foo6;
+drop user foo7;
+drop user foo8;
+
+--error ER_PASSWD_LENGTH
+create user foo1 identified via mysql_native_password using '00';
+--error ER_PASSWD_LENGTH
+create user foo2 identified via mysql_native_password using '2222222222222222';
+--error ER_PASSWD_LENGTH
+create user foo3 identified via mysql_old_password using '00';
+--error ER_PASSWD_LENGTH
+create user foo4 identified via mysql_old_password using '11111111111111111111111111111111111111111';
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -943,6 +943,43 @@ static bool fix_user_plugin_ptr(ACL_USER *user)
  return false;
 }

+
+/*
+  transform equivalent LEX_USER values to one:
+     username IDENTIFIED BY PASSWORD xxx
+     username IDENTIFIED VIA mysql_native_password USING xxx
+     etc
+*/
+static bool fix_lex_user(LEX_USER *user)
+{
+  size_t check_length= 0;
+  if (my_strcasecmp(system_charset_info, user->plugin.str,
+                    native_password_plugin_name.str) == 0)
+  {
+    check_length= SCRAMBLED_PASSWORD_CHAR_LENGTH;
+  }
+  else
+  if (my_strcasecmp(system_charset_info, user->plugin.str,
+                    old_password_plugin_name.str) == 0)
+  {
+    check_length= SCRAMBLED_PASSWORD_CHAR_LENGTH_323;
+  }
+
+  if (check_length)
+  {
+    user->password= user->auth.length ? user->auth : null_lex_str;
+    user->plugin= empty_lex_str;
+    user->auth= empty_lex_str;
+    if (user->password.length && user->password.length != check_length)
+    {
+      my_error(ER_PASSWD_LENGTH, MYF(0), check_length);
+      return true;
+    }
+  }
+  return false;
+}
+
+
 static bool get_YN_as_bool(Field *field)
 {
  char buff[2];
@ -6350,6 +6387,12 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list,
      continue;
    }

+    if (fix_lex_user(tmp_Str))
+    {
+      result= TRUE;
+      continue;
+    }
+
    if (copy_and_check_auth(Str, tmp_Str, thd->lex))
      result= true;
    else
@ -9289,6 +9332,13 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
    if (!user_name->host.str)
      user_name->host= host_not_specified;

+    if (fix_lex_user(user_name))
+    {
+      append_user(thd, &wrong_users, user_name);
+      result= TRUE;
+      continue;
+    }
+
    /*
      Search all in-memory structures and grant tables
      for a mention of the new user/role name.
@ -9296,7 +9346,6 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
    if (handle_grant_data(tables, 0, user_name, NULL))
    {
      append_user(thd, &wrong_users, user_name);
-
      result= TRUE;
      continue;
    }