Commit 2e964b23 authored by Alexey Botchkov's avatar Alexey Botchkov

MDEV-13921 Audit log writes invalid SQL if single-line comments are

present.

        Escape special characters (like \r \n \t) instead of
        replacing them with spaces.
parent cfb33617
...@@ -47,6 +47,7 @@ alter table t1 rename renamed_t1; ...@@ -47,6 +47,7 @@ alter table t1 rename renamed_t1;
set global server_audit_events='connect,query'; set global server_audit_events='connect,query';
select 1, select 1,
2, 2,
# comment
3; 3;
1 2 3 1 2 3
1 2 3 1 2 3
...@@ -161,7 +162,9 @@ id ...@@ -161,7 +162,9 @@ id
2 2
CREATE USER u1 IDENTIFIED BY 'pwd-123'; CREATE USER u1 IDENTIFIED BY 'pwd-123';
GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321"; GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
SET PASSWORD FOR u1 = PASSWORD('pwd 098'); SET PASSWORD
# comment
FOR u1 = PASSWORD('pwd 098');
SET PASSWORD FOR u1=<secret>; SET PASSWORD FOR u1=<secret>;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '<secret>' at line 1 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '<secret>' at line 1
CREATE USER u3 IDENTIFIED BY ''; CREATE USER u3 IDENTIFIED BY '';
...@@ -251,7 +254,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,ALTER,test,t1, ...@@ -251,7 +254,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,ALTER,test,t1,
TIME,HOSTNAME,root,localhost,ID,ID,RENAME,test,t1|test.renamed_t1, TIME,HOSTNAME,root,localhost,ID,ID,RENAME,test,t1|test.renamed_t1,
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'alter table t1 rename renamed_t1',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'alter table t1 rename renamed_t1',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_events=\'connect,query\'',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'set global server_audit_events=\'connect,query\'',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'select 1, 2, 3',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'select 1,\n2,\n# comment\n3',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'insert into t2 values (1), (2)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'insert into t2 values (1), (2)',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'select * from t2',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'select * from t2',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'select * from t_doesnt_exist',ID TIME,HOSTNAME,root,localhost,ID,ID,QUERY,test,'select * from t_doesnt_exist',ID
...@@ -325,7 +328,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*! select 2*/',0 ...@@ -325,7 +328,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*! select 2*/',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*comment*/ select 2',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*comment*/ select 2',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u1 IDENTIFIED BY *****',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u1 IDENTIFIED BY *****',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT ALL ON sa_db TO u2 IDENTIFIED BY *****',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT ALL ON sa_db TO u2 IDENTIFIED BY *****',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1 = PASSWORD(*****)',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD \n# comment\nFOR u1 = PASSWORD(*****)',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0
TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
......
...@@ -38,6 +38,7 @@ alter table t1 rename renamed_t1; ...@@ -38,6 +38,7 @@ alter table t1 rename renamed_t1;
set global server_audit_events='connect,query'; set global server_audit_events='connect,query';
select 1, select 1,
2, 2,
# comment
3; 3;
insert into t2 values (1), (2); insert into t2 values (1), (2);
select * from t2; select * from t2;
...@@ -106,7 +107,9 @@ insert into t1 values (1), (2); ...@@ -106,7 +107,9 @@ insert into t1 values (1), (2);
select * from t1; select * from t1;
CREATE USER u1 IDENTIFIED BY 'pwd-123'; CREATE USER u1 IDENTIFIED BY 'pwd-123';
GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321"; GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
SET PASSWORD FOR u1 = PASSWORD('pwd 098'); SET PASSWORD
# comment
FOR u1 = PASSWORD('pwd 098');
--error 1064 --error 1064
SET PASSWORD FOR u1=<secret>; SET PASSWORD FOR u1=<secret>;
CREATE USER u3 IDENTIFIED BY ''; CREATE USER u3 IDENTIFIED BY '';
......
...@@ -1122,6 +1122,21 @@ do { \ ...@@ -1122,6 +1122,21 @@ do { \
} while(0) } while(0)
#define ESC_MAP_SIZE 0x60
static const char esc_map[ESC_MAP_SIZE]=
{
0, 0, 0, 0, 0, 0, 0, 0, 'b', 't', 'n', 0, 'f', 'r', 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, '\'', 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, '\\', 0, 0, 0
};
static char escaped_char(char c)
{
return ((unsigned char ) c) >= ESC_MAP_SIZE ? 0 : esc_map[(unsigned char) c];
}
static void setup_connection_initdb(struct connection_info *cn, static void setup_connection_initdb(struct connection_info *cn,
...@@ -1328,21 +1343,16 @@ static size_t escape_string(const char *str, unsigned int len, ...@@ -1328,21 +1343,16 @@ static size_t escape_string(const char *str, unsigned int len,
const char *res_end= result + result_len - 2; const char *res_end= result + result_len - 2;
while (len) while (len)
{ {
char esc_c;
if (result >= res_end) if (result >= res_end)
break; break;
if (*str == '\'') if ((esc_c= escaped_char(*str)))
{ {
if (result+1 >= res_end) if (result+1 >= res_end)
break; break;
*(result++)= '\\'; *(result++)= '\\';
*(result++)= '\''; *(result++)= esc_c;
}
else if (*str == '\\')
{
if (result+1 >= res_end)
break;
*(result++)= '\\';
*(result++)= '\\';
} }
else if (is_space(*str)) else if (is_space(*str))
*(result++)= ' '; *(result++)= ' ';
...@@ -1431,19 +1441,12 @@ static size_t escape_string_hide_passwords(const char *str, unsigned int len, ...@@ -1431,19 +1441,12 @@ static size_t escape_string_hide_passwords(const char *str, unsigned int len,
no_password: no_password:
if (result >= res_end) if (result >= res_end)
break; break;
if (*str == '\'') if ((b_char= escaped_char(*str)))
{
if (result+1 >= res_end)
break;
*(result++)= '\\';
*(result++)= '\'';
}
else if (*str == '\\')
{ {
if (result+1 >= res_end) if (result+1 >= res_end)
break; break;
*(result++)= '\\'; *(result++)= '\\';
*(result++)= '\\'; *(result++)= b_char;
} }
else if (is_space(*str)) else if (is_space(*str))
*(result++)= ' '; *(result++)= ' ';
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment