Commit 2852862c authored by serg@serg.mylan's avatar serg@serg.mylan

apply in SET PASSWORD same checks as in GRANT, to let only valid hashes through

parent f66b4a1b
...@@ -40,6 +40,8 @@ show tables; ...@@ -40,6 +40,8 @@ show tables;
Tables_in_test Tables_in_test
update mysql.user set password=old_password("gambling2") where user=_binary"test"; update mysql.user set password=old_password("gambling2") where user=_binary"test";
flush privileges; flush privileges;
set password='gambling3';
ERROR HY000: Password hash should be a 41-digit hexadecimal number
set password=old_password('gambling3'); set password=old_password('gambling3');
show tables; show tables;
Tables_in_mysql Tables_in_mysql
......
...@@ -48,6 +48,8 @@ flush privileges; ...@@ -48,6 +48,8 @@ flush privileges;
#connect (con1,localhost,test,gambling2,""); #connect (con1,localhost,test,gambling2,"");
#show tables; #show tables;
connect (con1,localhost,test,gambling2,mysql); connect (con1,localhost,test,gambling2,mysql);
--error 1105
set password='gambling3';
set password=old_password('gambling3'); set password=old_password('gambling3');
show tables; show tables;
connect (con1,localhost,test,gambling3,test); connect (con1,localhost,test,gambling3,test);
......
...@@ -2851,8 +2851,9 @@ int set_var_password::check(THD *thd) ...@@ -2851,8 +2851,9 @@ int set_var_password::check(THD *thd)
if (!user->host.str) if (!user->host.str)
user->host.str= (char*) thd->host_or_ip; user->host.str= (char*) thd->host_or_ip;
/* Returns 1 as the function sends error to client */ /* Returns 1 as the function sends error to client */
return check_change_password(thd, user->host.str, user->user.str) ? 1 : 0; return check_change_password(thd, user->host.str, user->user.str, password) ?
#else 1 : 0;
#else
return 0; return 0;
#endif #endif
} }
...@@ -2861,8 +2862,8 @@ int set_var_password::update(THD *thd) ...@@ -2861,8 +2862,8 @@ int set_var_password::update(THD *thd)
{ {
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
/* Returns 1 as the function sends error to client */ /* Returns 1 as the function sends error to client */
return (change_password(thd, user->host.str, user->user.str, password) ? return change_password(thd, user->host.str, user->user.str, password) ?
1 : 0); 1 : 0;
#else #else
return 0; return 0;
#endif #endif
......
...@@ -1127,13 +1127,14 @@ bool acl_check_host(const char *host, const char *ip) ...@@ -1127,13 +1127,14 @@ bool acl_check_host(const char *host, const char *ip)
1 ERROR ; In this case the error is sent to the client. 1 ERROR ; In this case the error is sent to the client.
*/ */
bool check_change_password(THD *thd, const char *host, const char *user) bool check_change_password(THD *thd, const char *host, const char *user,
char *new_password)
{ {
if (!initialized) if (!initialized)
{ {
net_printf(thd,ER_OPTION_PREVENTS_STATEMENT, net_printf(thd,ER_OPTION_PREVENTS_STATEMENT,
"--skip-grant-tables"); /* purecov: inspected */ "--skip-grant-tables");
return(1); /* purecov: inspected */ return(1);
} }
if (!thd->slave_thread && if (!thd->slave_thread &&
(strcmp(thd->user,user) || (strcmp(thd->user,user) ||
...@@ -1147,6 +1148,15 @@ bool check_change_password(THD *thd, const char *host, const char *user) ...@@ -1147,6 +1148,15 @@ bool check_change_password(THD *thd, const char *host, const char *user)
send_error(thd, ER_PASSWORD_ANONYMOUS_USER); send_error(thd, ER_PASSWORD_ANONYMOUS_USER);
return(1); return(1);
} }
uint len=strlen(new_password);
if (len != SCRAMBLED_PASSWORD_CHAR_LENGTH &&
len != SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
{
net_printf(thd, 0,
"Password hash should be a %d-digit hexadecimal number",
SCRAMBLED_PASSWORD_CHAR_LENGTH);
return -1;
}
return(0); return(0);
} }
...@@ -1174,7 +1184,7 @@ bool change_password(THD *thd, const char *host, const char *user, ...@@ -1174,7 +1184,7 @@ bool change_password(THD *thd, const char *host, const char *user,
host,user,new_password)); host,user,new_password));
DBUG_ASSERT(host != 0); // Ensured by parent DBUG_ASSERT(host != 0); // Ensured by parent
if (check_change_password(thd, host, user)) if (check_change_password(thd, host, user, new_password))
DBUG_RETURN(1); DBUG_RETURN(1);
VOID(pthread_mutex_lock(&acl_cache->lock)); VOID(pthread_mutex_lock(&acl_cache->lock));
...@@ -1433,7 +1443,7 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo, ...@@ -1433,7 +1443,7 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo,
if (combo.password.length != SCRAMBLED_PASSWORD_CHAR_LENGTH && if (combo.password.length != SCRAMBLED_PASSWORD_CHAR_LENGTH &&
combo.password.length != SCRAMBLED_PASSWORD_CHAR_LENGTH_323) combo.password.length != SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
{ {
my_printf_error(ER_PASSWORD_NO_MATCH, my_printf_error(ER_UNKNOWN_ERROR,
"Password hash should be a %d-digit hexadecimal number", "Password hash should be a %d-digit hexadecimal number",
MYF(0), SCRAMBLED_PASSWORD_CHAR_LENGTH); MYF(0), SCRAMBLED_PASSWORD_CHAR_LENGTH);
DBUG_RETURN(-1); DBUG_RETURN(-1);
......
...@@ -142,7 +142,8 @@ ulong acl_get(const char *host, const char *ip, ...@@ -142,7 +142,8 @@ ulong acl_get(const char *host, const char *ip,
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd, int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
uint passwd_len); uint passwd_len);
bool acl_check_host(const char *host, const char *ip); bool acl_check_host(const char *host, const char *ip);
bool check_change_password(THD *thd, const char *host, const char *user); bool check_change_password(THD *thd, const char *host, const char *user,
char *password);
bool change_password(THD *thd, const char *host, const char *user, bool change_password(THD *thd, const char *host, const char *user,
char *password); char *password);
int mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list, int mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment