1 |
=== added file 'mysql-test/r/grant_lowercase.result' |
2 |
--- a/mysql-test/r/grant_lowercase.result 1970-01-01 00:00:00 +0000 |
3 |
+++ b/mysql-test/r/grant_lowercase.result 2012-12-04 16:08:02 +0000 |
4 |
@@ -0,0 +1,20 @@ |
5 |
+grant file on *.* to user1@localhost with grant option; |
6 |
+grant select on `a%`.* to user1@localhost with grant option; |
7 |
+grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret'; |
8 |
+ERROR 42000: Incorrect database name 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' |
9 |
+drop user user1@localhost; |
10 |
+call mtr.add_suppression("Incorrect database name"); |
11 |
+alter table mysql.host modify Db varchar(200); |
12 |
+alter table mysql.db modify Db varchar(200); |
13 |
+insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200)); |
14 |
+Warnings: |
15 |
+Warning 1265 Data truncated for column 'Db' at row 1 |
16 |
+insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200)); |
17 |
+Warnings: |
18 |
+Warning 1265 Data truncated for column 'Db' at row 1 |
19 |
+flush privileges; |
20 |
+delete from mysql.host where db like '=>%'; |
21 |
+delete from mysql.db where db like '=>%'; |
22 |
+alter table mysql.host modify Db char(64); |
23 |
+alter table mysql.db modify Db char(64); |
24 |
+flush privileges; |
25 |
|
26 |
=== added file 'mysql-test/t/grant_lowercase.opt' |
27 |
--- a/mysql-test/t/grant_lowercase.opt 1970-01-01 00:00:00 +0000 |
28 |
+++ b/mysql-test/t/grant_lowercase.opt 2012-12-04 16:08:02 +0000 |
29 |
@@ -0,0 +1,1 @@ |
30 |
+--lower-case-table-names=1 |
31 |
|
32 |
=== added file 'mysql-test/t/grant_lowercase.test' |
33 |
--- a/mysql-test/t/grant_lowercase.test 1970-01-01 00:00:00 +0000 |
34 |
+++ b/mysql-test/t/grant_lowercase.test 2012-12-04 16:08:02 +0000 |
35 |
@@ -0,0 +1,30 @@ |
36 |
+# test cases for strmov(tmp_db, db) -> strnmov replacement in sql_acl.cc |
37 |
+ |
38 |
+# |
39 |
+# http://seclists.org/fulldisclosure/2012/Dec/4 |
40 |
+# |
41 |
+ |
42 |
+# in acl_get(), check_grant_db(), mysql_grant() |
43 |
+grant file on *.* to user1@localhost with grant option; |
44 |
+grant select on `a%`.* to user1@localhost with grant option; |
45 |
+connect (conn1,localhost,user1,,); |
46 |
+connection conn1; |
47 |
+--error ER_WRONG_DB_NAME |
48 |
+grant file on aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* to 'user'@'%' identified by 'secret'; |
49 |
+connection default; |
50 |
+disconnect conn1; |
51 |
+drop user user1@localhost; |
52 |
+ |
53 |
+# in acl_load() |
54 |
+call mtr.add_suppression("Incorrect database name"); |
55 |
+alter table mysql.host modify Db varchar(200); |
56 |
+alter table mysql.db modify Db varchar(200); |
57 |
+insert mysql.host set db=concat('=>', repeat(_utf8 'й', 200)); |
58 |
+insert mysql.db set db=concat('=>', repeat(_utf8 'й', 200)); |
59 |
+flush privileges; # shouldn't crash here |
60 |
+delete from mysql.host where db like '=>%'; |
61 |
+delete from mysql.db where db like '=>%'; |
62 |
+alter table mysql.host modify Db char(64); |
63 |
+alter table mysql.db modify Db char(64); |
64 |
+flush privileges; |
65 |
+ |
66 |
|
67 |
=== modified file 'sql/sql_acl.cc' |
68 |
--- a/sql/sql_acl.cc 2012-11-12 18:56:51 +0000 |
69 |
+++ b/sql/sql_acl.cc 2012-12-04 16:08:02 +0000 |
70 |
@@ -341,7 +341,12 @@ |
71 |
convert db to lower case and give a warning if the db wasn't |
72 |
already in lower case |
73 |
*/ |
74 |
- (void) strmov(tmp_name, host.db); |
75 |
+ char *end = strnmov(tmp_name, host.db, sizeof(tmp_name)); |
76 |
+ if (end >= tmp_name + sizeof(tmp_name)) |
77 |
+ { |
78 |
+ sql_print_warning(ER(ER_WRONG_DB_NAME), host.db); |
79 |
+ continue; |
80 |
+ } |
81 |
my_casedn_str(files_charset_info, host.db); |
82 |
if (strcmp(host.db, tmp_name) != 0) |
83 |
sql_print_warning("'host' entry '%s|%s' had database in mixed " |
84 |
@@ -595,7 +600,12 @@ |
85 |
convert db to lower case and give a warning if the db wasn't |
86 |
already in lower case |
87 |
*/ |
88 |
- (void)strmov(tmp_name, db.db); |
89 |
+ char *end = strnmov(tmp_name, db.db, sizeof(tmp_name)); |
90 |
+ if (end >= tmp_name + sizeof(tmp_name)) |
91 |
+ { |
92 |
+ sql_print_warning(ER(ER_WRONG_DB_NAME), db.db); |
93 |
+ continue; |
94 |
+ } |
95 |
my_casedn_str(files_charset_info, db.db); |
96 |
if (strcmp(db.db, tmp_name) != 0) |
97 |
{ |
98 |
@@ -2474,15 +2484,23 @@ |
99 |
const char *user, const char *tname, |
100 |
bool exact, bool name_tolower) |
101 |
{ |
102 |
- char helping [NAME_LEN*2+USERNAME_LENGTH+3], *name_ptr; |
103 |
+ char helping[NAME_LEN*2+USERNAME_LENGTH+3]; |
104 |
+ char *hend = helping + sizeof(helping); |
105 |
uint len; |
106 |
GRANT_NAME *grant_name,*found=0; |
107 |
HASH_SEARCH_STATE state; |
108 |
|
109 |
- name_ptr= strmov(strmov(helping, user) + 1, db) + 1; |
110 |
- len = (uint) (strmov(name_ptr, tname) - helping) + 1; |
111 |
+ char *db_ptr= strmov(helping, user) + 1; |
112 |
+ char *tname_ptr= strnmov(db_ptr, db, hend - db_ptr) + 1; |
113 |
+ if (tname_ptr > hend) |
114 |
+ return 0; // invalid name = not found |
115 |
+ char *end= strnmov(tname_ptr, tname, hend - tname_ptr) + 1; |
116 |
+ if (end > hend) |
117 |
+ return 0; // invalid name = not found |
118 |
+ |
119 |
+ len = (uint) (end - helping); |
120 |
if (name_tolower) |
121 |
- my_casedn_str(files_charset_info, name_ptr); |
122 |
+ my_casedn_str(files_charset_info, tname_ptr); |
123 |
for (grant_name= (GRANT_NAME*) my_hash_first(name_hash, (uchar*) helping, |
124 |
len, &state); |
125 |
grant_name ; |
126 |
@@ -3466,7 +3484,12 @@ |
127 |
|
128 |
if (lower_case_table_names && db) |
129 |
{ |
130 |
- strmov(tmp_db,db); |
131 |
+ char *end= strnmov(tmp_db,db, sizeof(tmp_db)); |
132 |
+ if (end >= tmp_db + sizeof(tmp_db)) |
133 |
+ { |
134 |
+ my_error(ER_WRONG_DB_NAME ,MYF(0), db); |
135 |
+ DBUG_RETURN(TRUE); |
136 |
+ } |
137 |
my_casedn_str(files_charset_info, tmp_db); |
138 |
db=tmp_db; |
139 |
} |
140 |
|