• Sujatha Sivakumar's avatar
    Bug#16753869:INCORRECT TRUNCATION OF LONG SET EXPRESSION IN · ce29ca8b
    Sujatha Sivakumar authored
    LOAD DATA CAN CAUSE SQL INJECTION
    
    Problem:
    =======
    A long SET expression in LOAD DATA is incorrectly truncated
    when written to the binary log.
    
    Analysis:
    ========
    LOAD DATA statements are reconstructed once again before
    they are written to the binary log. When SET clauses are
    specified as part of LOAD DATA statement, these SET clause
    user command strings need to be stored as it is inorder to
    reconstruct the original user command.  At present these
    strings are stored as part of SET clause item tree's
    top most Item node's name itself which is incorrect. As an
    Item::name can be of MAX_ALIAS_NAME (256) size. Hence the
    name will get truncated to "255".
    
    Because of this the rewritten LOAD DATA statement will be
    terminated incorrectly.  When this statment is read back by
    the mysqlbinlog tool it reads a starting single quote and
    continuos to read till it finds an ending quote. Hence any
    statement written post ending quote will be considered as
    a new statement.
    
    Fix:
    ===
    As name field has length restriction the string value
    should not be stored in Item::name.  A new String list is
    maintained to store the SET expression values and this list
    is read during reconstrution.
    
    sql/sql_lex.cc:
      Clear the load data set string list during each query 
      execution.
    sql/sql_lex.h:
      Added a new String list to store the load data operation's
      SET clause user command strings.
    sql/sql_load.cc:
      Read the SET clause user command strings from load data
      set string list.
    sql/sql_yacc.yy:
      Store the SET caluse user command string as part of load
      data set string list.
    ce29ca8b
sql_lex.cc 94.2 KB