Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
2cac8f07
Commit
2cac8f07
authored
Jul 22, 2003
by
serg@serg.mylan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
now GRANT db.* ... compares patterns correctly to prevent privilege escalation
parent
b0b6d81b
Changes
12
Show whitespace changes
Inline
Side-by-side
Showing
12 changed files
with
85 additions
and
70 deletions
+85
-70
include/my_sys.h
include/my_sys.h
+1
-1
mysql-test/r/grant2.result
mysql-test/r/grant2.result
+12
-13
mysql-test/t/grant2.test
mysql-test/t/grant2.test
+6
-12
mysys/mf_wcomp.c
mysys/mf_wcomp.c
+44
-21
mysys/mf_wfile.c
mysys/mf_wfile.c
+2
-2
sql/sql_acl.cc
sql/sql_acl.cc
+5
-5
sql/sql_acl.h
sql/sql_acl.h
+1
-1
sql/sql_base.cc
sql/sql_base.cc
+1
-1
sql/sql_db.cc
sql/sql_db.cc
+7
-7
sql/sql_parse.cc
sql/sql_parse.cc
+2
-2
sql/sql_show.cc
sql/sql_show.cc
+4
-4
sql/sql_yacc.yy
sql/sql_yacc.yy
+0
-1
No files found.
include/my_sys.h
View file @
2cac8f07
...
...
@@ -627,7 +627,7 @@ extern my_string my_path(my_string to,const char *progname,
const
char
*
own_pathname_part
);
extern
my_string
my_load_path
(
my_string
to
,
const
char
*
path
,
const
char
*
own_path_prefix
);
extern
int
wild_compare
(
const
char
*
str
,
const
char
*
wildstr
);
extern
int
wild_compare
(
const
char
*
str
,
const
char
*
wildstr
,
pbool
str_is_pattern
);
extern
WF_PACK
*
wf_comp
(
my_string
str
);
extern
int
wf_test
(
struct
wild_file_pack
*
wf_pack
,
const
char
*
name
);
extern
void
wf_end
(
struct
wild_file_pack
*
buffer
);
...
...
mysql-test/r/grant2.result
View file @
2cac8f07
...
...
@@ -5,20 +5,19 @@ grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
select current_user();
current_user()
mysqltest_1@localhost
grant all privileges on `my\_1`.* to mysqltest_9@localhost with grant option;
ERROR 42000: Access denied for user: 'mysqltest_1@localhost' to database 'my\_1'
grant all privileges on `my_%`.* to mysqltest_2@localhost with grant option;
select current_user();
current_user()
mysqltest_2@localhost
grant all privileges on `mysql`.* to mysqltest_3@localhost with grant option;
select current_user();
current_user()
mysqltest_3@localhost
grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
ERROR 42000: Access denied for user: 'mysqltest_1@localhost' to database 'my_%'
show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
show grants for mysqltest_2@localhost;
Grants for mysqltest_2@localhost
GRANT USAGE ON *.* TO 'mysqltest_2'@'localhost'
GRANT ALL PRIVILEGES ON `my\_1`.* TO 'mysqltest_2'@'localhost' WITH GRANT OPTION
show grants for mysqltest_3@localhost;
Grants for mysqltest_3@localhost
GRANT USAGE ON *.* TO 'mysqltest_3'@'localhost'
GRANT ALL PRIVILEGES ON `mysql`.* TO 'mysqltest_3'@'localhost' WITH GRANT OPTION
ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'localhost'
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
flush privileges;
mysql-test/t/grant2.test
View file @
2cac8f07
...
...
@@ -15,22 +15,16 @@ grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
connect
(
user1
,
localhost
,
mysqltest_1
,,);
connection
user1
;
select
current_user
();
grant
all
privileges
on
`my\_1`
.*
to
mysqltest_2
@
localhost
with
grant
option
;
--
error
1044
grant
all
privileges
on
`my\_1`
.*
to
mysqltest_9
@
localhost
with
grant
option
;
grant
all
privileges
on
`my_%`
.*
to
mysqltest_2
@
localhost
with
grant
option
;
grant
all
privileges
on
`my_%`
.*
to
mysqltest_3
@
localhost
with
grant
option
;
disconnect
user1
;
connect
(
user2
,
localhost
,
mysqltest_2
,,);
connection
user2
;
select
current_user
();
grant
all
privileges
on
`mysql`
.*
to
mysqltest_3
@
localhost
with
grant
option
;
disconnect
user2
;
connect
(
user3
,
localhost
,
mysqltest_3
,,);
connection
user3
;
select
current_user
();
show
grants
for
mysqltest_3
@
localhost
;
disconnect
user3
;
connect
(
root
,
localhost
,
root
,,);
connection
root
;
show
grants
for
mysqltest_1
@
localhost
;
show
grants
for
mysqltest_2
@
localhost
;
--
error
1141
show
grants
for
mysqltest_3
@
localhost
;
delete
from
mysql
.
user
where
user
like
'mysqltest\_%'
;
delete
from
mysql
.
db
where
user
like
'mysqltest\_%'
;
flush
privileges
;
...
...
mysys/mf_wcomp.c
View file @
2cac8f07
...
...
@@ -23,11 +23,12 @@
char
wild_many
=
'*'
;
char
wild_one
=
'?'
;
char
wild_prefix
=
0
;
char
wild_prefix
=
0
;
/* QQ this can potentially cause a SIGSEGV */
int
wild_compare
(
register
const
char
*
str
,
register
const
char
*
wildstr
)
int
wild_compare
(
register
const
char
*
str
,
register
const
char
*
wildstr
,
pbool
str_is_pattern
)
{
reg3
int
flag
;
char
cmp
;
DBUG_ENTER
(
"wild_compare"
);
while
(
*
wildstr
)
...
...
@@ -35,33 +36,55 @@ int wild_compare(register const char *str, register const char *wildstr)
while
(
*
wildstr
&&
*
wildstr
!=
wild_many
&&
*
wildstr
!=
wild_one
)
{
if
(
*
wildstr
==
wild_prefix
&&
wildstr
[
1
])
{
wildstr
++
;
if
(
*
wildstr
++
!=
*
str
++
)
DBUG_RETURN
(
1
);
if
(
str_is_pattern
&&
*
str
++
!=
wild_prefix
)
DBUG_RETURN
(
1
);
}
if
(
!
*
wildstr
)
DBUG_RETURN
(
*
str
!=
0
);
if
(
*
wildstr
++
!=
*
str
++
)
DBUG_RETURN
(
1
);
}
if
(
!
*
wildstr
)
DBUG_RETURN
(
*
str
!=
0
);
if
(
*
wildstr
++
==
wild_one
)
{
if
(
!
*
str
++
)
DBUG_RETURN
(
1
);
/* One char; skipp */
if
(
!
*
str
||
(
str_is_pattern
&&
*
str
==
wild_many
))
DBUG_RETURN
(
1
);
/* One char; skipp */
if
(
*
str
++
==
wild_prefix
&&
str_is_pattern
&&
*
str
)
str
++
;
}
else
{
/* Found '*' */
if
(
!*
wildstr
)
DBUG_RETURN
(
0
);
/* '*' as last char: OK */
flag
=
(
*
wildstr
!=
wild_many
&&
*
wildstr
!=
wild_one
);
do
while
(
str_is_pattern
&&
*
str
==
wild_many
)
str
++
;
for
(;
*
wildstr
==
wild_many
||
*
wildstr
==
wild_one
;
wildstr
++
)
if
(
*
wildstr
==
wild_many
)
{
if
(
flag
)
while
(
str_is_pattern
&&
*
str
==
wild_many
)
str
++
;
}
else
{
char
cmp
;
if
((
cmp
=
*
wildstr
)
==
wild_prefix
&&
wildstr
[
1
])
if
(
str_is_pattern
&&
*
str
==
wild_prefix
&&
str
[
1
])
str
+=
2
;
else
if
(
!
*
str
++
)
DBUG_RETURN
(
1
);
}
if
(
!*
wildstr
)
DBUG_RETURN
(
0
);
/* '*' as last char: OK */
if
((
cmp
=
*
wildstr
)
==
wild_prefix
&&
wildstr
[
1
]
&&
!
str_is_pattern
)
cmp
=
wildstr
[
1
];
for
(;;
str
++
)
{
while
(
*
str
&&
*
str
!=
cmp
)
str
++
;
if
(
!*
str
)
DBUG_RETURN
(
1
);
if
(
!*
str
)
DBUG_RETURN
(
1
);
if
(
wild_compare
(
str
,
wildstr
,
str_is_pattern
)
==
0
)
DBUG_RETURN
(
0
);
}
if
(
wild_compare
(
str
,
wildstr
)
==
0
)
DBUG_RETURN
(
0
);
}
while
(
*
str
++
&&
wildstr
[
0
]
!=
wild_many
);
DBUG_RETURN
(
1
);
}
}
DBUG_RETURN
(
*
str
!=
'\0'
);
DBUG_RETURN
(
*
str
!=
0
);
}
/* wild_compare */
mysys/mf_wfile.c
View file @
2cac8f07
...
...
@@ -99,7 +99,7 @@ int wf_test(register WF_PACK *wf_pack, register const char *name)
not_pos
=
wf_pack
->
not_pos
;
for
(
i
=
0
;
i
<
not_pos
;
i
++
)
if
(
wild_compare
(
name
,
wf_pack
->
wild
[
i
])
==
0
)
if
(
wild_compare
(
name
,
wf_pack
->
wild
[
i
]
,
0
)
==
0
)
goto
found
;
if
(
i
)
DBUG_RETURN
(
1
);
/* No-match */
...
...
@@ -108,7 +108,7 @@ found:
/* Test that it isn't in not-list */
for
(
i
=
not_pos
;
i
<
wf_pack
->
wilds
;
i
++
)
if
(
wild_compare
(
name
,
wf_pack
->
wild
[
i
])
==
0
)
if
(
wild_compare
(
name
,
wf_pack
->
wild
[
i
]
,
0
)
==
0
)
DBUG_RETURN
(
1
);
DBUG_RETURN
(
0
);
}
/* wf_test */
...
...
sql/sql_acl.cc
View file @
2cac8f07
...
...
@@ -877,7 +877,7 @@ static void acl_insert_db(const char *user, const char *host, const char *db,
*****************************************************************************/
ulong
acl_get
(
const
char
*
host
,
const
char
*
ip
,
const
char
*
bin_ip
,
const
char
*
user
,
const
char
*
db
)
const
char
*
user
,
const
char
*
db
,
my_bool
db_is_pattern
)
{
ulong
host_access
,
db_access
;
uint
i
,
key_length
;
...
...
@@ -911,7 +911,7 @@ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
{
if
(
compare_hostname
(
&
acl_db
->
host
,
host
,
ip
))
{
if
(
!
acl_db
->
db
||
!
wild_compare
(
db
,
acl_db
->
db
))
if
(
!
acl_db
->
db
||
!
wild_compare
(
db
,
acl_db
->
db
,
db_is_pattern
))
{
db_access
=
acl_db
->
access
;
if
(
acl_db
->
host
.
hostname
)
...
...
@@ -933,7 +933,7 @@ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
ACL_HOST
*
acl_host
=
dynamic_element
(
&
acl_hosts
,
i
,
ACL_HOST
*
);
if
(
compare_hostname
(
&
acl_host
->
host
,
host
,
ip
))
{
if
(
!
acl_host
->
db
||
!
wild_compare
(
db
,
acl_host
->
db
))
if
(
!
acl_host
->
db
||
!
wild_compare
(
db
,
acl_host
->
db
,
db_is_pattern
))
{
host_access
=
acl_host
->
access
;
// Fully specified. Take it
break
;
...
...
@@ -1271,7 +1271,7 @@ static bool compare_hostname(const acl_host_and_ip *host, const char *hostname,
return
(
!
host
->
hostname
||
(
hostname
&&
!
wild_case_compare
(
&
my_charset_latin1
,
hostname
,
host
->
hostname
))
||
(
ip
&&
!
wild_compare
(
ip
,
host
->
hostname
)));
(
ip
&&
!
wild_compare
(
ip
,
host
->
hostname
,
0
)));
}
...
...
@@ -1331,7 +1331,7 @@ static bool test_if_create_new_users(THD *thd)
tl
.
db
=
(
char
*
)
"mysql"
;
tl
.
real_name
=
(
char
*
)
"user"
;
db_access
=
acl_get
(
thd
->
host
,
thd
->
ip
,
(
char
*
)
&
thd
->
remote
.
sin_addr
,
thd
->
priv_user
,
tl
.
db
);
thd
->
priv_user
,
tl
.
db
,
0
);
if
(
!
(
db_access
&
INSERT_ACL
))
{
if
(
check_grant
(
thd
,
INSERT_ACL
,
&
tl
,
0
,
1
))
...
...
sql/sql_acl.h
View file @
2cac8f07
...
...
@@ -134,7 +134,7 @@ my_bool acl_init(THD *thd, bool dont_read_acl_tables);
void
acl_reload
(
THD
*
thd
);
void
acl_free
(
bool
end
=
0
);
ulong
acl_get
(
const
char
*
host
,
const
char
*
ip
,
const
char
*
bin_ip
,
const
char
*
user
,
const
char
*
db
);
const
char
*
user
,
const
char
*
db
,
my_bool
db_is_pattern
);
ulong
acl_getroot
(
THD
*
thd
,
const
char
*
host
,
const
char
*
ip
,
const
char
*
user
,
const
char
*
password
,
const
char
*
scramble
,
char
**
priv_user
,
char
*
priv_host
,
...
...
sql/sql_base.cc
View file @
2cac8f07
...
...
@@ -148,7 +148,7 @@ OPEN_TABLE_LIST *list_open_tables(THD *thd, const char *wild)
if
(
wild
)
{
strxmov
(
name
,
entry
->
table_cache_key
,
"."
,
entry
->
real_name
,
NullS
);
if
(
wild_compare
(
name
,
wild
))
if
(
wild_compare
(
name
,
wild
,
0
))
continue
;
}
...
...
sql/sql_db.cc
View file @
2cac8f07
...
...
@@ -591,7 +591,7 @@ bool mysql_change_db(THD *thd, const char *name)
db_access
=
DB_ACLS
;
else
db_access
=
(
acl_get
(
thd
->
host
,
thd
->
ip
,(
char
*
)
&
thd
->
remote
.
sin_addr
,
thd
->
priv_user
,
dbname
)
|
thd
->
priv_user
,
dbname
,
0
)
|
thd
->
master_access
);
if
(
!
(
db_access
&
DB_ACLS
)
&&
(
!
grant_option
||
check_grant_db
(
thd
,
dbname
)))
{
...
...
@@ -655,7 +655,7 @@ int mysqld_show_create_db(THD *thd, char *dbname,
db_access
=
DB_ACLS
;
else
db_access
=
(
acl_get
(
thd
->
host
,
thd
->
ip
,(
char
*
)
&
thd
->
remote
.
sin_addr
,
thd
->
priv_user
,
dbname
)
|
thd
->
priv_user
,
dbname
,
0
)
|
thd
->
master_access
);
if
(
!
(
db_access
&
DB_ACLS
)
&&
(
!
grant_option
||
check_grant_db
(
thd
,
dbname
)))
{
...
...
sql/sql_parse.cc
View file @
2cac8f07
...
...
@@ -3254,7 +3254,7 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
if
(
!
(
thd
->
master_access
&
SELECT_ACL
)
&&
(
db
&&
(
!
thd
->
db
||
strcmp
(
db
,
thd
->
db
))))
db_access
=
acl_get
(
thd
->
host
,
thd
->
ip
,
(
char
*
)
&
thd
->
remote
.
sin_addr
,
thd
->
priv_user
,
db
);
/* purecov: inspected */
thd
->
priv_user
,
db
,
test
(
want_access
&
GRANT_ACL
));
*
save_priv
=
thd
->
master_access
|
db_access
;
DBUG_RETURN
(
FALSE
);
}
...
...
@@ -3274,7 +3274,7 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
if
(
db
&&
(
!
thd
->
db
||
strcmp
(
db
,
thd
->
db
)))
db_access
=
acl_get
(
thd
->
host
,
thd
->
ip
,
(
char
*
)
&
thd
->
remote
.
sin_addr
,
thd
->
priv_user
,
db
);
/* purecov: inspected */
thd
->
priv_user
,
db
,
test
(
want_access
&
GRANT_ACL
));
else
db_access
=
thd
->
db_access
;
// Remove SHOW attribute and access rights we already have
...
...
sql/sql_show.cc
View file @
2cac8f07
...
...
@@ -75,7 +75,7 @@ mysqld_show_dbs(THD *thd,const char *wild)
{
if
(
thd
->
master_access
&
(
DB_ACLS
|
SHOW_DB_ACL
)
||
acl_get
(
thd
->
host
,
thd
->
ip
,
(
char
*
)
&
thd
->
remote
.
sin_addr
,
thd
->
priv_user
,
file_name
)
||
thd
->
priv_user
,
file_name
,
0
)
||
(
grant_option
&&
!
check_grant_db
(
thd
,
file_name
)))
{
protocol
->
prepare_for_resend
();
...
...
@@ -415,7 +415,7 @@ mysql_find_files(THD *thd,List<char> *files, const char *db,const char *path,
#endif
{
if
(
file
->
name
[
0
]
==
'.'
||
!
MY_S_ISDIR
(
file
->
mystat
.
st_mode
)
||
(
wild
&&
wild_compare
(
file
->
name
,
wild
)))
(
wild
&&
wild_compare
(
file
->
name
,
wild
,
0
)))
continue
;
}
}
...
...
@@ -433,7 +433,7 @@ mysql_find_files(THD *thd,List<char> *files, const char *db,const char *path,
if
(
wild_case_compare
(
system_charset_info
,
file
->
name
,
wild
))
continue
;
}
else
if
(
wild_compare
(
file
->
name
,
wild
))
else
if
(
wild_compare
(
file
->
name
,
wild
,
0
))
continue
;
}
}
...
...
sql/sql_yacc.yy
View file @
2cac8f07
...
...
@@ -547,7 +547,6 @@ bool my_yyoverflow(short **a, YYSTYPE **b,int *yystacksize);
%token SUBJECT_SYM
%token CIPHER_SYM
%token HELP
%token BEFORE_SYM
%left SET_VAR
%left OR_OR_CONCAT OR
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment