]>
Commit | Line | Data |
---|---|---|
f8bb649e | 1 | |
2 | #### ChangeSet #### | |
3 | 2007-11-06 18:09:33+04:00, svoj@mysql.com | |
4 | BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE | |
5 | ||
6 | RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites | |
7 | the file to which the symlink points. | |
8 | ||
9 | This is security issue, because it is possible to create a table with | |
10 | some name in some non-system database and set DATA/INDEX DIRECTORY | |
11 | to mysql system database. Renaming this table to one of mysql system | |
12 | tables (e.g. user, host) would overwrite the system table. | |
13 | ||
14 | Return an error when the file to which the symlink points exist. | |
15 | ||
16 | ==== mysql-test/r/symlink.result ==== | |
17 | 2007-11-06 18:09:32+04:00, svoj@mysql.com +6 -0 | |
18 | A test case for BUG#32111. | |
19 | ||
20 | --- 1.7/mysql-test/r/symlink.result 2003-12-12 12:26:56 -08:00 | |
21 | +++ 1.8/mysql-test/r/symlink.result 2007-11-06 06:09:32 -08:00 | |
22 | @@ -84,3 +84,9 @@ t1 CREATE TABLE `t1` ( | |
23 | `b` int(11) default NULL | |
24 | ) TYPE=MyISAM | |
25 | drop table t1; | |
26 | +CREATE TABLE t1(a INT) | |
27 | +DATA DIRECTORY='TEST_DIR/var/master-data/mysql' | |
28 | +INDEX DIRECTORY='TEST_DIR/var/master-data/mysql'; | |
29 | +RENAME TABLE t1 TO user; | |
30 | +Can't create/write to file 'TEST_DIR/var/master-data/mysql/user.MYI' (Errcode: 17) | |
31 | +DROP TABLE t1; | |
32 | ||
33 | ==== mysql-test/t/symlink.test ==== | |
34 | 2007-11-06 18:09:32+04:00, svoj@mysql.com +12 -0 | |
35 | A test case for BUG#32111. | |
36 | ||
37 | --- 1.6/mysql-test/t/symlink.test 2003-12-12 12:26:56 -08:00 | |
38 | +++ 1.7/mysql-test/t/symlink.test 2007-11-06 06:09:32 -08:00 | |
39 | @@ -112,3 +112,15 @@ eval alter table t1 index directory="$MY | |
40 | enable_query_log; | |
41 | show create table t1; | |
42 | drop table t1; | |
43 | + | |
44 | +# | |
45 | +# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE | |
46 | +# | |
47 | +--replace_result $MYSQL_TEST_DIR TEST_DIR | |
48 | +eval CREATE TABLE t1(a INT) | |
49 | +DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql' | |
50 | +INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql'; | |
51 | +--replace_result $MYSQL_TEST_DIR TEST_DIR | |
52 | +--error 1 | |
53 | +RENAME TABLE t1 TO user; | |
54 | +DROP TABLE t1; | |
55 | ||
56 | ==== mysys/my_symlink2.c ==== | |
57 | 2007-11-06 18:09:32+04:00, svoj@mysql.com +10 -1 | |
58 | Return an error when the file to which the symlink points exist. | |
59 | ||
60 | --- 1.6/mysys/my_symlink2.c 2003-12-12 12:26:56 -08:00 | |
61 | +++ 1.7/mysys/my_symlink2.c 2007-11-06 06:09:32 -08:00 | |
62 | @@ -120,6 +120,7 @@ int my_rename_with_symlink(const char *f | |
63 | int was_symlink= (!my_disable_symlinks && | |
64 | !my_readlink(link_name, from, MYF(0))); | |
65 | int result=0; | |
66 | + int name_is_different; | |
67 | DBUG_ENTER("my_rename_with_symlink"); | |
68 | ||
69 | if (!was_symlink) | |
70 | @@ -128,6 +129,14 @@ int my_rename_with_symlink(const char *f | |
71 | /* Change filename that symlink pointed to */ | |
72 | strmov(tmp_name, to); | |
73 | fn_same(tmp_name,link_name,1); /* Copy dir */ | |
74 | + name_is_different= strcmp(link_name, tmp_name); | |
75 | + if (name_is_different && !access(tmp_name, F_OK)) | |
76 | + { | |
77 | + my_errno= EEXIST; | |
78 | + if (MyFlags & MY_WME) | |
79 | + my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST); | |
80 | + DBUG_RETURN(1); | |
81 | + } | |
82 | ||
83 | /* Create new symlink */ | |
84 | if (my_symlink(tmp_name, to, MyFlags)) | |
85 | @@ -139,7 +148,7 @@ int my_rename_with_symlink(const char *f | |
86 | the same basename and different directories. | |
87 | */ | |
88 | ||
89 | - if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags)) | |
90 | + if (name_is_different && my_rename(link_name, tmp_name, MyFlags)) | |
91 | { | |
92 | int save_errno=my_errno; | |
93 | my_delete(to, MyFlags); /* Remove created symlink */ |