Skip to content
Permalink
Browse files

MDEV-10465 general_log_file can be abused

followup
  • Loading branch information...
vuvova committed Aug 8, 2016
1 parent a7c43a6 commit 2a54a530a9ba96a9a57607dd156a42192dae0873
@@ -18,6 +18,8 @@ SET @@global.general_log_file = '/tmp/my.cnf';
ERROR 42000: Variable 'general_log_file' can't be set to the value of '/tmp/my.cnf'
SET @@global.general_log_file = '.my.cnf';
ERROR 42000: Variable 'general_log_file' can't be set to the value of '.my.cnf'
SET @@global.general_log_file = 'my.cnf\0foo';
ERROR 42000: Variable 'general_log_file' can't be set to the value of 'my.cnf'
'#----------------------FN_DYNVARS_004_03------------------------#'
SELECT @@global.general_log_file = VARIABLE_VALUE
FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES
@@ -15,6 +15,8 @@ SET @@global.slow_query_log_file = '/tmp/my.cnf';
ERROR 42000: Variable 'slow_query_log_file' can't be set to the value of '/tmp/my.cnf'
SET @@global.general_log_file = '.my.cnf';
ERROR 42000: Variable 'general_log_file' can't be set to the value of '.my.cnf'
SET @@global.general_log_file = 'my.cnf\0foo';
ERROR 42000: Variable 'general_log_file' can't be set to the value of 'my.cnf'
'#----------------------FN_DYNVARS_004_03------------------------#'
SELECT @@global.slow_query_log_file = VARIABLE_VALUE
FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES
@@ -67,6 +67,8 @@ SET @@global.general_log_file = 'my.cnf';
SET @@global.general_log_file = '/tmp/my.cnf';
--error ER_WRONG_VALUE_FOR_VAR
SET @@global.general_log_file = '.my.cnf';
--error ER_WRONG_VALUE_FOR_VAR
SET @@global.general_log_file = 'my.cnf\0foo';


--echo '#----------------------FN_DYNVARS_004_03------------------------#'
@@ -65,6 +65,8 @@ SET @@global.slow_query_log_file = 'my.cnf';
SET @@global.slow_query_log_file = '/tmp/my.cnf';
--error ER_WRONG_VALUE_FOR_VAR
SET @@global.general_log_file = '.my.cnf';
--error ER_WRONG_VALUE_FOR_VAR
SET @@global.general_log_file = 'my.cnf\0foo';

--echo '#----------------------FN_DYNVARS_004_03------------------------#'
##############################################################################
@@ -3033,19 +3033,19 @@ static bool check_log_path(sys_var *self, THD *thd, set_var *var)
return true;
}

static const LEX_CSTRING my_cnf= { STRING_WITH_LEN("my.cnf") };
if (val->length >= my_cnf.length)
{
if (strcasecmp(val->str + val->length - my_cnf.length, my_cnf.str) == 0)
return true; // log file name ends with "my.cnf"
}

char path[FN_REFLEN];
size_t path_length= unpack_filename(path, val->str);

if (!path_length)
return true;

static const LEX_CSTRING my_cnf= { STRING_WITH_LEN("my.cnf") };
if (path_length >= my_cnf.length)
{
if (strcasecmp(path + path_length - my_cnf.length, my_cnf.str) == 0)
return true; // log file name ends with "my.cnf"
}

MY_STAT f_stat;

if (my_stat(path, &f_stat, MYF(0)))

0 comments on commit 2a54a53

Please sign in to comment.
You can’t perform that action at this time.