BUG#31611 (Security risk with BINLOG statement):

Adding check that the user executing a BINLOG statement has SUPER privileges and aborting execution of the statement with an error otherwise.

BUG#31611 (Security risk with BINLOG statement):
Adding check that the user executing a BINLOG statement has SUPER privileges and aborting execution of the statement with an error otherwise.
c0138b94 · mats@kindahl-laptop.dnsalias.net · 0b59871b · c0138b94 · c0138b94 · c0138b94
Commit c0138b94 authored Nov 03, 2007 by mats@kindahl-laptop.dnsalias.net
Showing with 55 additions and 0 deletions

mysql-test/r/mysqlbinlog.result mysql-test/r/mysqlbinlog.result +22 -0

mysql-test/t/mysqlbinlog.test mysql-test/t/mysqlbinlog.test +27 -0

sql/sql_binlog.cc sql/sql_binlog.cc +6 -0

No files found.
--- a/mysql-test/r/mysqlbinlog.result
+++ b/mysql-test/r/mysqlbinlog.result
@@ -328,4 +328,26 @@ drop table t1;
 drop table t1;
 End of 5.0 tests
 flush logs;
+BUG#31611: Security risk with BINLOG statement
+SET BINLOG_FORMAT=ROW;
+CREATE DATABASE mysqltest1;
+CREATE USER untrusted@localhost;
+GRANT SELECT ON mysqltest1.* TO untrusted@localhost;
+SHOW GRANTS FOR untrusted@localhost;
+Grants for untrusted@localhost
+GRANT USAGE ON *.* TO 'untrusted'@'localhost'
+GRANT SELECT ON `mysqltest1`.* TO 'untrusted'@'localhost'
+USE mysqltest1;
+CREATE TABLE t1 (a INT, b CHAR(64));
+flush logs;
+INSERT INTO t1 VALUES (1,USER());
+flush logs;
+mysqlbinlog var/log/master-bin.000017 > var/tmp/bug31611.sql
+mysql mysqltest1 -uuntrusted < var/tmp/bug31611.sql
+INSERT INTO t1 VALUES (1,USER());
+ERROR 42000: INSERT command denied to user 'untrusted'@'localhost' for table 't1'
+SELECT * FROM t1;
+a	b
+1	root@localhost
+DROP DATABASE mysqltest1;
 End of 5.1 tests
--- a/mysql-test/t/mysqlbinlog.test
+++ b/mysql-test/t/mysqlbinlog.test
@@ -250,4 +250,31 @@ flush logs;
 --exec $MYSQL_BINLOG $MYSQLTEST_VARDIR/log/master-bin.000016 >/dev/null 2>/dev/null
 --exec $MYSQL_BINLOG --force-if-open $MYSQLTEST_VARDIR/log/master-bin.000016 >/dev/null 2>/dev/null

+--echo BUG#31611: Security risk with BINLOG statement
+
+SET BINLOG_FORMAT=ROW;
+CREATE DATABASE mysqltest1;
+CREATE USER untrusted@localhost;
+GRANT SELECT ON mysqltest1.* TO untrusted@localhost;
+
+SHOW GRANTS FOR untrusted@localhost;
+USE mysqltest1;
+CREATE TABLE t1 (a INT, b CHAR(64));
+flush logs;
+INSERT INTO t1 VALUES (1,USER());
+flush logs;
+echo mysqlbinlog var/log/master-bin.000017 > var/tmp/bug31611.sql;
+exec $MYSQL_BINLOG $MYSQLTEST_VARDIR/log/master-bin.000017 > $MYSQLTEST_VARDIR/tmp/bug31611.sql;
+connect (unsecure,localhost,untrusted,,mysqltest1);
+echo mysql mysqltest1 -uuntrusted < var/tmp/bug31611.sql;
+error 1;
+exec $MYSQL mysqltest1 -uuntrusted < $MYSQLTEST_VARDIR/tmp/bug31611.sql;
+connection unsecure;
+error ER_TABLEACCESS_DENIED_ERROR;
+INSERT INTO t1 VALUES (1,USER());
+
+SELECT * FROM t1;
+connection default;
+DROP DATABASE mysqltest1;
+
 --echo End of 5.1 tests
--- a/sql/sql_binlog.cc
+++ b/sql/sql_binlog.cc
@@ -37,6 +37,12 @@ void mysql_client_binlog_statement(THD* thd)
                            thd->lex->comment.length : 2048),
                     thd->lex->comment.str));

+  if (check_global_access(thd, SUPER_ACL))
+  {
+    my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), "SUPER");
+    DBUG_VOID_RETURN;
+  }
+
  /*
    Temporarily turn off send_ok, since different events handle this
    differently