From f224072f1b5c0b0932217b12f00248ec5f43b8b6 Mon Sep 17 00:00:00 2001 From: brad Date: Wed, 20 Oct 2004 07:36:04 +0000 Subject: [PATCH] * Fixed bug in privilege checking where, under some conditions, one was able to grant privileges on the database, he has no privileges on. (Bug #3933) --- .../mysql/patches/patch-include_my_sys_h | 12 +++ .../mysql/patches/patch-mysys_mf_wcomp_c | 94 +++++++++++++++++++ .../mysql/patches/patch-mysys_mf_wfile_c | 21 +++++ databases/mysql/patches/patch-sql_sql_acl_cc | 48 ++++++++++ databases/mysql/patches/patch-sql_sql_acl_h | 12 +++ databases/mysql/patches/patch-sql_sql_base_cc | 12 +++ databases/mysql/patches/patch-sql_sql_db_cc | 12 +++ .../mysql/patches/patch-sql_sql_parse_cc | 22 ++++- databases/mysql/patches/patch-sql_sql_show_cc | 30 ++++++ 9 files changed, 261 insertions(+), 2 deletions(-) create mode 100644 databases/mysql/patches/patch-include_my_sys_h create mode 100644 databases/mysql/patches/patch-mysys_mf_wcomp_c create mode 100644 databases/mysql/patches/patch-mysys_mf_wfile_c create mode 100644 databases/mysql/patches/patch-sql_sql_acl_cc create mode 100644 databases/mysql/patches/patch-sql_sql_acl_h create mode 100644 databases/mysql/patches/patch-sql_sql_base_cc create mode 100644 databases/mysql/patches/patch-sql_sql_db_cc create mode 100644 databases/mysql/patches/patch-sql_sql_show_cc diff --git a/databases/mysql/patches/patch-include_my_sys_h b/databases/mysql/patches/patch-include_my_sys_h new file mode 100644 index 00000000000..44169187195 --- /dev/null +++ b/databases/mysql/patches/patch-include_my_sys_h @@ -0,0 +1,12 @@ +$OpenBSD: patch-include_my_sys_h,v 1.1 2004/10/20 07:36:04 brad Exp $ +--- include/my_sys.h.orig Thu May 13 20:53:30 2004 ++++ include/my_sys.h Wed Oct 20 00:50:18 2004 +@@ -620,7 +620,7 @@ extern my_string my_path(my_string to,co + const char *own_pathname_part); + extern my_string my_load_path(my_string to, const char *path, + const char *own_path_prefix); +-extern int wild_compare(const char *str,const char *wildstr); ++extern int wild_compare(const char *str,const char *wildstr,pbool str_is_pattern); + extern my_string my_strcasestr(const char *src,const char *suffix); + extern int my_strcasecmp(const char *s,const char *t); + extern int my_strsortcmp(const char *s,const char *t); diff --git a/databases/mysql/patches/patch-mysys_mf_wcomp_c b/databases/mysql/patches/patch-mysys_mf_wcomp_c new file mode 100644 index 00000000000..9aa79af8715 --- /dev/null +++ b/databases/mysql/patches/patch-mysys_mf_wcomp_c @@ -0,0 +1,94 @@ +$OpenBSD: patch-mysys_mf_wcomp_c,v 1.1 2004/10/20 07:36:04 brad Exp $ +--- mysys/mf_wcomp.c.orig Thu May 13 20:53:18 2004 ++++ mysys/mf_wcomp.c Wed Oct 20 00:50:18 2004 +@@ -23,11 +23,12 @@ + + char wild_many='*'; + char wild_one='?'; +-char wild_prefix=0; ++char wild_prefix=0; /* QQ this can potentially cause a SIGSEGV */ + +-int wild_compare(register const char *str, register const char *wildstr) ++int wild_compare(register const char *str, register const char *wildstr, ++ pbool str_is_pattern) + { +- reg3 int flag; ++ char cmp; + DBUG_ENTER("wild_compare"); + + while (*wildstr) +@@ -35,33 +36,55 @@ int wild_compare(register const char *st + while (*wildstr && *wildstr != wild_many && *wildstr != wild_one) + { + if (*wildstr == wild_prefix && wildstr[1]) ++ { + wildstr++; +- if (*wildstr++ != *str++) DBUG_RETURN(1); ++ if (str_is_pattern && *str++ != wild_prefix) ++ DBUG_RETURN(1); ++ } ++ if (*wildstr++ != *str++) ++ DBUG_RETURN(1); + } +- if (! *wildstr ) DBUG_RETURN (*str != 0); ++ if (! *wildstr ) ++ DBUG_RETURN(*str != 0); + if (*wildstr++ == wild_one) + { +- if (! *str++) DBUG_RETURN (1); /* One char; skipp */ ++ if (! *str || (str_is_pattern && *str == wild_many)) ++ DBUG_RETURN(1); /* One char; skip */ ++ if (*str++ == wild_prefix && str_is_pattern && *str) ++ str++; + } + else + { /* Found '*' */ +- if (!*wildstr) DBUG_RETURN(0); /* '*' as last char: OK */ +- flag=(*wildstr != wild_many && *wildstr != wild_one); +- do ++ while (str_is_pattern && *str == wild_many) ++ str++; ++ for (; *wildstr == wild_many || *wildstr == wild_one; wildstr++) ++ if (*wildstr == wild_many) ++ { ++ while (str_is_pattern && *str == wild_many) ++ str++; ++ } ++ else ++ { ++ if (str_is_pattern && *str == wild_prefix && str[1]) ++ str+=2; ++ else if (! *str++) ++ DBUG_RETURN (1); ++ } ++ if (!*wildstr) ++ DBUG_RETURN(0); /* '*' as last char: OK */ ++ if ((cmp= *wildstr) == wild_prefix && wildstr[1] && !str_is_pattern) ++ cmp=wildstr[1]; ++ for (;;str++) + { +- if (flag) +- { +- char cmp; +- if ((cmp= *wildstr) == wild_prefix && wildstr[1]) +- cmp=wildstr[1]; +- while (*str && *str != cmp) +- str++; +- if (!*str) DBUG_RETURN (1); +- } +- if (wild_compare(str,wildstr) == 0) DBUG_RETURN (0); +- } while (*str++ && wildstr[0] != wild_many); +- DBUG_RETURN(1); ++ while (*str && *str != cmp) ++ str++; ++ if (!*str) ++ DBUG_RETURN (1); ++ if (wild_compare(str,wildstr,str_is_pattern) == 0) ++ DBUG_RETURN (0); ++ } ++ /* We will never come here */ + } + } +- DBUG_RETURN (*str != '\0'); ++ DBUG_RETURN (*str != 0); + } /* wild_compare */ diff --git a/databases/mysql/patches/patch-mysys_mf_wfile_c b/databases/mysql/patches/patch-mysys_mf_wfile_c new file mode 100644 index 00000000000..9c122e57ba5 --- /dev/null +++ b/databases/mysql/patches/patch-mysys_mf_wfile_c @@ -0,0 +1,21 @@ +$OpenBSD: patch-mysys_mf_wfile_c,v 1.1 2004/10/20 07:36:04 brad Exp $ +--- mysys/mf_wfile.c.orig Thu May 13 20:53:35 2004 ++++ mysys/mf_wfile.c Wed Oct 20 00:50:18 2004 +@@ -106,7 +106,7 @@ int wf_test(register WF_PACK *wf_pack, r + + not_pos=wf_pack->not_pos; + for (i=0 ; i < not_pos; i++) +- if (wild_compare(name,wf_pack->wild[i]) == 0) ++ if (wild_compare(name,wf_pack->wild[i],0) == 0) + goto found; + if (i) + DBUG_RETURN(1); /* No-match */ +@@ -115,7 +115,7 @@ found: + /* Test that it isn't in not-list */ + + for (i=not_pos ; i < wf_pack->wilds; i++) +- if (wild_compare(name,wf_pack->wild[i]) == 0) ++ if (wild_compare(name,wf_pack->wild[i],0) == 0) + DBUG_RETURN(1); + DBUG_RETURN(0); + } /* wf_test */ diff --git a/databases/mysql/patches/patch-sql_sql_acl_cc b/databases/mysql/patches/patch-sql_sql_acl_cc new file mode 100644 index 00000000000..1ecb59d6341 --- /dev/null +++ b/databases/mysql/patches/patch-sql_sql_acl_cc @@ -0,0 +1,48 @@ +$OpenBSD: patch-sql_sql_acl_cc,v 1.3 2004/10/20 07:36:04 brad Exp $ +--- sql/sql_acl.cc.orig Thu May 13 20:53:35 2004 ++++ sql/sql_acl.cc Wed Oct 20 00:50:19 2004 +@@ -834,7 +834,7 @@ static void acl_insert_db(const char *us + */ + + ulong acl_get(const char *host, const char *ip, const char *bin_ip, +- const char *user, const char *db) ++ const char *user, const char *db, my_bool db_is_pattern) + { + ulong host_access,db_access; + uint i,key_length; +@@ -868,7 +868,7 @@ ulong acl_get(const char *host, const ch + { + if (compare_hostname(&acl_db->host,host,ip)) + { +- if (!acl_db->db || !wild_compare(db,acl_db->db)) ++ if (!acl_db->db || !wild_compare(db,acl_db->db,db_is_pattern)) + { + db_access=acl_db->access; + if (acl_db->host.hostname) +@@ -890,7 +890,7 @@ ulong acl_get(const char *host, const ch + ACL_HOST *acl_host=dynamic_element(&acl_hosts,i,ACL_HOST*); + if (compare_hostname(&acl_host->host,host,ip)) + { +- if (!acl_host->db || !wild_compare(db,acl_host->db)) ++ if (!acl_host->db || !wild_compare(db,acl_host->db,0)) + { + host_access=acl_host->access; // Fully specified. Take it + break; +@@ -1222,7 +1222,7 @@ static bool compare_hostname(const acl_h + } + return (!host->hostname || + (hostname && !wild_case_compare(hostname,host->hostname)) || +- (ip && !wild_compare(ip,host->hostname))); ++ (ip && !wild_compare(ip,host->hostname,0))); + } + + +@@ -1300,7 +1300,7 @@ static bool test_if_create_new_users(THD + tl.db= (char*) "mysql"; + tl.real_name= (char*) "user"; + db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, +- thd->priv_user, tl.db); ++ thd->priv_user, tl.db, 0); + if (!(db_access & INSERT_ACL)) + { + if (check_grant(thd,INSERT_ACL,&tl,0,1)) diff --git a/databases/mysql/patches/patch-sql_sql_acl_h b/databases/mysql/patches/patch-sql_sql_acl_h new file mode 100644 index 00000000000..594650d0a9e --- /dev/null +++ b/databases/mysql/patches/patch-sql_sql_acl_h @@ -0,0 +1,12 @@ +$OpenBSD: patch-sql_sql_acl_h,v 1.1 2004/10/20 07:36:04 brad Exp $ +--- sql/sql_acl.h.orig Thu May 13 20:53:22 2004 ++++ sql/sql_acl.h Wed Oct 20 00:50:19 2004 +@@ -85,7 +85,7 @@ my_bool acl_init(THD *thd, bool dont_re + void acl_reload(THD *thd); + void acl_free(bool end=0); + ulong acl_get(const char *host, const char *ip, const char *bin_ip, +- const char *user, const char *db); ++ const char *user, const char *db, my_bool db_is_pattern); + ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, + const char *password,const char *scramble, + char **priv_user, char *priv_host, diff --git a/databases/mysql/patches/patch-sql_sql_base_cc b/databases/mysql/patches/patch-sql_sql_base_cc new file mode 100644 index 00000000000..08ad74baaa3 --- /dev/null +++ b/databases/mysql/patches/patch-sql_sql_base_cc @@ -0,0 +1,12 @@ +$OpenBSD: patch-sql_sql_base_cc,v 1.1 2004/10/20 07:36:04 brad Exp $ +--- sql/sql_base.cc.orig Thu May 13 20:53:18 2004 ++++ sql/sql_base.cc Wed Oct 20 00:50:19 2004 +@@ -149,7 +149,7 @@ OPEN_TABLE_LIST *list_open_tables(THD *t + if (wild) + { + strxmov(name,entry->table_cache_key,".",entry->real_name,NullS); +- if (wild_compare(name,wild)) ++ if (wild_compare(name,wild,0)) + continue; + } + diff --git a/databases/mysql/patches/patch-sql_sql_db_cc b/databases/mysql/patches/patch-sql_sql_db_cc new file mode 100644 index 00000000000..666569f4aea --- /dev/null +++ b/databases/mysql/patches/patch-sql_sql_db_cc @@ -0,0 +1,12 @@ +$OpenBSD: patch-sql_sql_db_cc,v 1.1 2004/10/20 07:36:04 brad Exp $ +--- sql/sql_db.cc.orig Thu May 13 20:53:31 2004 ++++ sql/sql_db.cc Wed Oct 20 00:50:19 2004 +@@ -408,7 +408,7 @@ bool mysql_change_db(THD *thd,const char + db_access=DB_ACLS; + else + db_access= (acl_get(thd->host,thd->ip,(char*) &thd->remote.sin_addr, +- thd->priv_user,dbname) | ++ thd->priv_user,dbname,0) | + thd->master_access); + if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname))) + { diff --git a/databases/mysql/patches/patch-sql_sql_parse_cc b/databases/mysql/patches/patch-sql_sql_parse_cc index 2e51a50eabc..d55ef966e8b 100644 --- a/databases/mysql/patches/patch-sql_sql_parse_cc +++ b/databases/mysql/patches/patch-sql_sql_parse_cc @@ -1,6 +1,24 @@ -$OpenBSD: patch-sql_sql_parse_cc,v 1.1 2004/10/20 04:47:29 brad Exp $ +$OpenBSD: patch-sql_sql_parse_cc,v 1.2 2004/10/20 07:36:04 brad Exp $ --- sql/sql_parse.cc.orig Thu May 13 20:53:18 2004 -+++ sql/sql_parse.cc Tue Oct 19 22:22:11 2004 ++++ sql/sql_parse.cc Wed Oct 20 00:50:19 2004 +@@ -2670,7 +2670,7 @@ check_access(THD *thd, ulong want_access + if (!(thd->master_access & SELECT_ACL) && + (db && (!thd->db || strcmp(db,thd->db)))) + db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, +- thd->priv_user, db); /* purecov: inspected */ ++ thd->priv_user, db, 0); /* purecov: inspected */ + *save_priv=thd->master_access | db_access; + DBUG_RETURN(FALSE); + } +@@ -2690,7 +2690,7 @@ check_access(THD *thd, ulong want_access + + if (db && (!thd->db || strcmp(db,thd->db))) + db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, +- thd->priv_user, db); /* purecov: inspected */ ++ thd->priv_user, db, 0); /* purecov: inspected */ + else + db_access=thd->db_access; + // Remove SHOW attribute and access rights we already have @@ -3155,7 +3155,10 @@ bool add_field_to_list(char *field_name, break; case FIELD_TYPE_DECIMAL: diff --git a/databases/mysql/patches/patch-sql_sql_show_cc b/databases/mysql/patches/patch-sql_sql_show_cc new file mode 100644 index 00000000000..0f7d4617e7f --- /dev/null +++ b/databases/mysql/patches/patch-sql_sql_show_cc @@ -0,0 +1,30 @@ +$OpenBSD: patch-sql_sql_show_cc,v 1.1 2004/10/20 07:36:04 brad Exp $ +--- sql/sql_show.cc.orig Thu May 13 20:53:23 2004 ++++ sql/sql_show.cc Wed Oct 20 00:50:19 2004 +@@ -78,7 +78,7 @@ mysqld_show_dbs(THD *thd,const char *wil + { + if (thd->master_access & (DB_ACLS | SHOW_DB_ACL) || + acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr, +- thd->priv_user, file_name) || ++ thd->priv_user, file_name, 0) || + (grant_option && !check_grant_db(thd, file_name))) + { + thd->packet.length(0); +@@ -214,7 +214,7 @@ mysql_find_files(THD *thd,List *fi + #endif + { + if (file->name[0] == '.' || !MY_S_ISDIR(file->mystat->st_mode) || +- (wild && wild_compare(file->name,wild))) ++ (wild && wild_compare(file->name,wild, 0))) + continue; + } + } +@@ -232,7 +232,7 @@ mysql_find_files(THD *thd,List *fi + if (wild_case_compare(file->name,wild)) + continue; + } +- else if (wild_compare(file->name,wild)) ++ else if (wild_compare(file->name,wild, 0)) + continue; + } + }