From b206300975cd1f598bffc4d7ba5de7e19b9deccb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Mon, 30 Jan 2017 12:53:54 +0200 Subject: [PATCH] Exact hostnames grants take precedence over wildcard grants MariaDB and others match grants first by exact hostname/IP and then by wildcard. If there are no exact matches, the wildcard grant should be picked. This can be tested by having different passwords for localhost and remote address. The SQLite based authentication should first check for an exact match and then only after that should it try to match the hostname to a wildcard grant. --- server/modules/authenticator/MySQLAuth/dbusers.c | 4 ++-- server/modules/authenticator/MySQLAuth/mysql_auth.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/server/modules/authenticator/MySQLAuth/dbusers.c b/server/modules/authenticator/MySQLAuth/dbusers.c index 7ae3717a3..b8b05b219 100644 --- a/server/modules/authenticator/MySQLAuth/dbusers.c +++ b/server/modules/authenticator/MySQLAuth/dbusers.c @@ -463,7 +463,7 @@ bool validate_mysql_user(sqlite3 *handle, DCB *dcb, MYSQL_session *session, char *err; sprintf(sql, mysqlauth_validate_user_query, session->user, dcb->remote, - session->db, session->db); + dcb->remote, session->db, session->db); struct user_query_result res = {}; @@ -482,7 +482,7 @@ bool validate_mysql_user(sqlite3 *handle, DCB *dcb, MYSQL_session *session, char client_hostname[MYSQL_HOST_MAXLEN]; wildcard_domain_match(dcb->remote, client_hostname); sprintf(sql, mysqlauth_validate_user_query, session->user, client_hostname, - session->db, session->db); + client_hostname, session->db, session->db); if (sqlite3_exec(handle, sql, auth_cb, &res, &err) != SQLITE_OK) { diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.h b/server/modules/authenticator/MySQLAuth/mysql_auth.h index 8e6713f5a..6036a7ea1 100644 --- a/server/modules/authenticator/MySQLAuth/mysql_auth.h +++ b/server/modules/authenticator/MySQLAuth/mysql_auth.h @@ -61,7 +61,7 @@ static const char databases_create_sql[] = /** Query that checks if there's a grant for the user being authenticated */ static const char mysqlauth_validate_user_query[] = "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME - " WHERE user = '%s' AND '%s' LIKE host AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)" + " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)" " LIMIT 1"; /** Query that checks that the database exists */