now GRANT db.* ... compares patterns correctly to prevent privilege escalation

2cac8f07 · serg@serg.mylan · b0b6d81b · 2cac8f07 · 2cac8f07 · 2cac8f07
Commit 2cac8f07 authored Jul 22, 2003 by serg@serg.mylan
12 changed files
--- a/include/my_sys.h
+++ b/include/my_sys.h
@@ -627,7 +627,7 @@ extern my_string my_path(my_string to,const char *progname,
 			 const char *own_pathname_part);
 extern my_string my_load_path(my_string to, const char *path,
 			      const char *own_path_prefix);
-extern int wild_compare(const char *str,const char *wildstr);
+extern int wild_compare(const char *str,const char *wildstr,pbool str_is_pattern);
 extern WF_PACK *wf_comp(my_string str);
 extern int wf_test(struct wild_file_pack *wf_pack,const char *name);
 extern void wf_end(struct wild_file_pack *buffer);

--- a/mysql-test/r/grant2.result
+++ b/mysql-test/r/grant2.result
@@ -5,20 +5,19 @@ grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
 select current_user();
 current_user()
 mysqltest_1@localhost
-grant all privileges on `my\_1`.* to mysqltest_9@localhost with grant option;
-ERROR 42000: Access denied for user: 'mysqltest_1@localhost' to database 'my\_1'
-grant all privileges on `my_%`.* to mysqltest_2@localhost with grant option;
-select current_user();
-current_user()
-mysqltest_2@localhost
-grant all privileges on `mysql`.* to mysqltest_3@localhost with grant option;
-select current_user();
-current_user()
-mysqltest_3@localhost
+grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
+grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
+ERROR 42000: Access denied for user: 'mysqltest_1@localhost' to database 'my_%'
+show grants for mysqltest_1@localhost;
+Grants for mysqltest_1@localhost
+GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
+GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
+show grants for mysqltest_2@localhost;
+Grants for mysqltest_2@localhost
+GRANT USAGE ON *.* TO 'mysqltest_2'@'localhost'
+GRANT ALL PRIVILEGES ON `my\_1`.* TO 'mysqltest_2'@'localhost' WITH GRANT OPTION
 show grants for mysqltest_3@localhost;
-Grants for mysqltest_3@localhost
-GRANT USAGE ON *.* TO 'mysqltest_3'@'localhost'
-GRANT ALL PRIVILEGES ON `mysql`.* TO 'mysqltest_3'@'localhost' WITH GRANT OPTION
+ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'localhost'
 delete from mysql.user where user like 'mysqltest\_%';
 delete from mysql.db where user like 'mysqltest\_%';
 flush privileges;
--- a/mysql-test/t/grant2.test
+++ b/mysql-test/t/grant2.test
@@ -15,22 +15,16 @@ grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
 connect (user1,localhost,mysqltest_1,,);
 connection user1;
 select current_user();
+grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
 --error 1044
-grant all privileges on `my\_1`.* to mysqltest_9@localhost with grant option;
-grant all privileges on `my_%`.* to mysqltest_2@localhost with grant option;
+grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
 disconnect user1;
-connect (user2,localhost,mysqltest_2,,);
-connection user2;
-select current_user();
-grant all privileges on `mysql`.* to mysqltest_3@localhost with grant option;
-disconnect user2;
-connect (user3,localhost,mysqltest_3,,);
-connection user3;
-select current_user();
-show grants for mysqltest_3@localhost;
-disconnect user3;
 connect (root,localhost,root,,);
 connection root;
+show grants for mysqltest_1@localhost;
+show grants for mysqltest_2@localhost;
+--error 1141
+show grants for mysqltest_3@localhost;
 delete from mysql.user where user like 'mysqltest\_%';
 delete from mysql.db where user like 'mysqltest\_%';
 flush privileges;

--- a/mysys/mf_wcomp.c
+++ b/mysys/mf_wcomp.c
@@ -23,11 +23,12 @@

 char wild_many='*';
 char wild_one='?';
-char wild_prefix=0;
+char wild_prefix=0; /* QQ this can potentially cause a SIGSEGV */

-int wild_compare(register const char *str, register const char *wildstr)
+int wild_compare(register const char *str, register const char *wildstr,
+                 pbool str_is_pattern)
 {
-  reg3 int flag;
+  char cmp;
  DBUG_ENTER("wild_compare");

  while (*wildstr)
@@ -35,33 +36,55 @@ int wild_compare(register const char *str, register const char *wildstr)
    while (*wildstr && *wildstr != wild_many && *wildstr != wild_one)
    {
      if (*wildstr == wild_prefix && wildstr[1])
+      {
 	wildstr++;
-      if (*wildstr++ != *str++) DBUG_RETURN(1);
+        if (str_is_pattern && *str++ != wild_prefix)
+          DBUG_RETURN(1);
+      }
+      if (*wildstr++ != *str++)
+        DBUG_RETURN(1);
    }
-    if (! *wildstr ) DBUG_RETURN (*str != 0);
+    if (! *wildstr )
+      DBUG_RETURN(*str != 0);
    if (*wildstr++ == wild_one)
    {
-      if (! *str++) DBUG_RETURN (1);	/* One char; skipp */
+      if (! *str || (str_is_pattern && *str == wild_many))
+        DBUG_RETURN(1);                     /* One char; skipp */
+      if (*str++ == wild_prefix && str_is_pattern && *str)
+        str++;
    }
    else
    {						/* Found '*' */
-      if (!*wildstr) DBUG_RETURN(0);		/* '*' as last char: OK */
-      flag=(*wildstr != wild_many && *wildstr != wild_one);
-      do
+      while (str_is_pattern && *str == wild_many)
+        str++;
+      for (; *wildstr ==  wild_many || *wildstr == wild_one; wildstr++)
+        if (*wildstr == wild_many)
+        {
+          while (str_is_pattern && *str == wild_many)
+            str++;
+        }
+        else
+        {
+          if (str_is_pattern && *str == wild_prefix && str[1])
+            str+=2;
+          else if (! *str++)
+            DBUG_RETURN (1);
+        }
+      if (!*wildstr)
+        DBUG_RETURN(0);		/* '*' as last char: OK */
+      if ((cmp= *wildstr) == wild_prefix && wildstr[1] && !str_is_pattern)
+        cmp=wildstr[1];
+      for(;;str++)
      {
-	if (flag)
-	{
-	  char cmp;
-	  if ((cmp= *wildstr) == wild_prefix && wildstr[1])
-	    cmp=wildstr[1];
-	  while (*str && *str != cmp)
-	    str++;
-	  if (!*str) DBUG_RETURN (1);
-	}
-	if (wild_compare(str,wildstr) == 0) DBUG_RETURN (0);
-      } while (*str++ && wildstr[0] != wild_many);
+        while (*str && *str != cmp)
+          str++;
+        if (!*str)
+          DBUG_RETURN (1);
+	if (wild_compare(str,wildstr,str_is_pattern) == 0)
+          DBUG_RETURN (0);
+      }
      DBUG_RETURN(1);
    }
  }
-  DBUG_RETURN (*str != '\0');
+  DBUG_RETURN (*str != 0);
 } /* wild_compare */
--- a/mysys/mf_wfile.c
+++ b/mysys/mf_wfile.c
@@ -99,7 +99,7 @@ int wf_test(register WF_PACK *wf_pack, register const char *name)

  not_pos=wf_pack->not_pos;
  for (i=0 ; i < not_pos; i++)
-    if (wild_compare(name,wf_pack->wild[i]) == 0)
+    if (wild_compare(name,wf_pack->wild[i],0) == 0)
      goto found;
  if (i)
    DBUG_RETURN(1);			/* No-match */
@@ -108,7 +108,7 @@ int wf_test(register WF_PACK *wf_pack, register const char *name)
 /* Test that it isn't in not-list */

  for (i=not_pos ; i < wf_pack->wilds; i++)
-    if (wild_compare(name,wf_pack->wild[i]) == 0)
+    if (wild_compare(name,wf_pack->wild[i],0) == 0)
      DBUG_RETURN(1);
  DBUG_RETURN(0);
 } /* wf_test */

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -877,7 +877,7 @@ static void acl_insert_db(const char *user, const char *host, const char *db,
 *****************************************************************************/

 ulong acl_get(const char *host, const char *ip, const char *bin_ip,
-	     const char *user, const char *db)
+	     const char *user, const char *db, my_bool db_is_pattern)
 {
  ulong host_access,db_access;
  uint i,key_length;
@@ -911,7 +911,7 @@ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
    {
      if (compare_hostname(&acl_db->host,host,ip))
      {
-	if (!acl_db->db || !wild_compare(db,acl_db->db))
+	if (!acl_db->db || !wild_compare(db,acl_db->db,db_is_pattern))
 	{
 	  db_access=acl_db->access;
 	  if (acl_db->host.hostname)
@@ -933,7 +933,7 @@ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
    ACL_HOST *acl_host=dynamic_element(&acl_hosts,i,ACL_HOST*);
    if (compare_hostname(&acl_host->host,host,ip))
    {
-      if (!acl_host->db || !wild_compare(db,acl_host->db))
+      if (!acl_host->db || !wild_compare(db,acl_host->db,db_is_pattern))
      {
 	host_access=acl_host->access;		// Fully specified. Take it
 	break;
@@ -1271,7 +1271,7 @@ static bool compare_hostname(const acl_host_and_ip *host, const char *hostname,
  return (!host->hostname ||
 	  (hostname && !wild_case_compare(&my_charset_latin1,
                                          hostname,host->hostname)) ||
-	  (ip && !wild_compare(ip,host->hostname)));
+	  (ip && !wild_compare(ip,host->hostname,0)));
 }


@@ -1331,7 +1331,7 @@ static bool test_if_create_new_users(THD *thd)
    tl.db=	   (char*) "mysql";
    tl.real_name=  (char*) "user";
    db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-		      thd->priv_user, tl.db);
+		      thd->priv_user, tl.db, 0);
    if (!(db_access & INSERT_ACL))
    {
      if (check_grant(thd,INSERT_ACL,&tl,0,1))

--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -134,7 +134,7 @@ my_bool  acl_init(THD *thd, bool dont_read_acl_tables);
 void acl_reload(THD *thd);
 void acl_free(bool end=0);
 ulong acl_get(const char *host, const char *ip, const char *bin_ip,
-	      const char *user, const char *db);
+	      const char *user, const char *db, my_bool db_is_pattern);
 ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
 		  const char *password,const char *scramble,
                  char **priv_user, char *priv_host,

--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -148,7 +148,7 @@ OPEN_TABLE_LIST *list_open_tables(THD *thd, const char *wild)
    if (wild)
    {
      strxmov(name,entry->table_cache_key,".",entry->real_name,NullS);
-      if (wild_compare(name,wild))
+      if (wild_compare(name,wild,0))
 	continue;
    }


--- a/sql/sql_db.cc
+++ b/sql/sql_db.cc
@@ -591,7 +591,7 @@ bool mysql_change_db(THD *thd, const char *name)
    db_access=DB_ACLS;
  else
    db_access= (acl_get(thd->host,thd->ip,(char*) &thd->remote.sin_addr,
-			thd->priv_user,dbname) |
+			thd->priv_user,dbname,0) |
 		thd->master_access);
  if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname)))
  {
@@ -625,8 +625,8 @@ bool mysql_change_db(THD *thd, const char *name)

  strmov(path+unpack_dirname(path,path), MY_DB_OPT_FILE);
  load_db_opt(thd, path, &create);
-  thd->db_charset= create.table_charset ? 
-		   create.table_charset : 
+  thd->db_charset= create.table_charset ?
+		   create.table_charset :
 		   global_system_variables.character_set_database;
  thd->variables.character_set_database= thd->db_charset;
  DBUG_RETURN(0);
@@ -644,18 +644,18 @@ int mysqld_show_create_db(THD *thd, char *dbname,
  uint create_options = create_info ? create_info->options : 0;
  Protocol *protocol=thd->protocol;
  DBUG_ENTER("mysql_show_create_db");
-  
+
  if (check_db_name(dbname))
  {
    net_printf(thd,ER_WRONG_DB_NAME, dbname);
    DBUG_RETURN(1);
  }
-  
+
  if (test_all_bits(thd->master_access,DB_ACLS))
    db_access=DB_ACLS;
  else
    db_access= (acl_get(thd->host,thd->ip,(char*) &thd->remote.sin_addr,
-			thd->priv_user,dbname) |
+			thd->priv_user,dbname,0) |
 		thd->master_access);
  if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname)))
  {
@@ -669,7 +669,7 @@ int mysqld_show_create_db(THD *thd, char *dbname,
 		    dbname);
    DBUG_RETURN(1);
  }
-  
+
  (void) sprintf(path,"%s/%s",mysql_data_home, dbname);
  length=unpack_dirname(path,path);		// Convert if not unix
  found_libchar= 0;

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3254,7 +3254,7 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
    if (!(thd->master_access & SELECT_ACL) &&
 	(db && (!thd->db || strcmp(db,thd->db))))
      db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-			thd->priv_user, db); /* purecov: inspected */
+			thd->priv_user, db, test(want_access & GRANT_ACL));
    *save_priv=thd->master_access | db_access;
    DBUG_RETURN(FALSE);
  }
@@ -3274,7 +3274,7 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,

  if (db && (!thd->db || strcmp(db,thd->db)))
    db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-		      thd->priv_user, db); /* purecov: inspected */
+		      thd->priv_user, db, test(want_access & GRANT_ACL));
  else
    db_access=thd->db_access;
  // Remove SHOW attribute and access rights we already have

--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -75,7 +75,7 @@ mysqld_show_dbs(THD *thd,const char *wild)
  {
    if (thd->master_access & (DB_ACLS | SHOW_DB_ACL) ||
 	acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-		thd->priv_user, file_name) ||
+		thd->priv_user, file_name,0) ||
 	(grant_option && !check_grant_db(thd, file_name)))
    {
      protocol->prepare_for_resend();
@@ -415,7 +415,7 @@ mysql_find_files(THD *thd,List<char> *files, const char *db,const char *path,
 #endif
      {
        if (file->name[0] == '.' || !MY_S_ISDIR(file->mystat.st_mode) ||
-            (wild && wild_compare(file->name,wild)))
+            (wild && wild_compare(file->name,wild,0)))
          continue;
      }
    }
@@ -433,7 +433,7 @@ mysql_find_files(THD *thd,List<char> *files, const char *db,const char *path,
 	  if (wild_case_compare(system_charset_info,file->name,wild))
 	    continue;
 	}
-	else if (wild_compare(file->name,wild))
+	else if (wild_compare(file->name,wild,0))
 	  continue;
      }
    }
@@ -1031,7 +1031,7 @@ store_create_info(THD *thd, TABLE *table, String *packet)
  my_bool limited_mysql_mode= (thd->variables.sql_mode &
 			       (MODE_NO_FIELD_OPTIONS | MODE_MYSQL323 |
 				MODE_MYSQL40)) != 0;
-			       
+
  DBUG_ENTER("store_create_info");
  DBUG_PRINT("enter",("table: %s",table->real_name));


--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -547,7 +547,6 @@ bool my_yyoverflow(short **a, YYSTYPE **b,int *yystacksize);
 %token  SUBJECT_SYM
 %token  CIPHER_SYM

-%token  HELP
 %token  BEFORE_SYM
 %left   SET_VAR
 %left	OR_OR_CONCAT OR