Commit 1ae05db4 authored by Alexey Botchkov's avatar Alexey Botchkov

MDEV-8078 Memory disclosure/buffer overread on audit plugin.

        If the SET PASSWORD query doesn't have the password string,
        the parsing of it can fail. It manifested first in MySQL 5.6 as
        it started to hide password lines sent to the plugins.
        Fixed by checking for that case.
parent db0ecf26
......@@ -162,6 +162,8 @@ id
CREATE USER u1 IDENTIFIED BY 'pwd-123';
GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
SET PASSWORD FOR u1 = PASSWORD('pwd 098');
SET PASSWORD FOR u1=<secret>;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '=<secret>' at line 1
CREATE USER u3 IDENTIFIED BY '';
drop user u1, u2, u3;
select 2;
......@@ -324,6 +326,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*comment*/ select 2',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u1 IDENTIFIED BY *****',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT ALL ON sa_db TO u2 IDENTIFIED BY *****',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1 = PASSWORD(*****)',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
......
......@@ -105,6 +105,8 @@ select * from t1;
CREATE USER u1 IDENTIFIED BY 'pwd-123';
GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
SET PASSWORD FOR u1 = PASSWORD('pwd 098');
--error 1064
SET PASSWORD FOR u1=<secret>;
CREATE USER u3 IDENTIFIED BY '';
drop user u1, u2, u3;
select 2;
......
......@@ -1175,9 +1175,15 @@ static size_t escape_string_hide_passwords(const char *str, unsigned int len,
for (c=0; c<d_len; c++)
result[c]= is_space(str[c]) ? ' ' : str[c];
if (*next_s)
{
memmove(result + d_len, "*****", 5);
result+= d_len + 5;
b_char= *(next_s++);
}
else
result+= d_len;
while (*next_s)
{
if (*next_s == b_char)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment