From edbbafc2e90d52fe7bf2ca8c436f4c07e3a10d5f Mon Sep 17 00:00:00 2001 From: Marko Date: Tue, 25 Jun 2019 14:40:17 +0300 Subject: [PATCH] MXS-2502 Fix access denied when connecting to 'information_schema' --- .../authenticator/GSSAPI/GSSAPIAuth/gssapi_auth.cc | 2 +- server/modules/authenticator/MySQLAuth/mysql_auth.h | 8 +++++--- .../authenticator/PAM/PAMAuth/pam_client_session.cc | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/server/modules/authenticator/GSSAPI/GSSAPIAuth/gssapi_auth.cc b/server/modules/authenticator/GSSAPI/GSSAPIAuth/gssapi_auth.cc index cabdf616a..bcb9d1833 100644 --- a/server/modules/authenticator/GSSAPI/GSSAPIAuth/gssapi_auth.cc +++ b/server/modules/authenticator/GSSAPI/GSSAPIAuth/gssapi_auth.cc @@ -63,7 +63,7 @@ const char create_sql[] = /** The query that is executed when a user is authenticated */ static const char gssapi_auth_query[] = "SELECT * FROM " GSSAPI_TABLE_NAME - " WHERE user = '%s' AND '%s' LIKE host AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)" + " WHERE user = '%s' AND '%s' LIKE host AND (anydb = '1' OR '%s' IN ('information_schema', '') OR '%s' LIKE db)" " AND ('%s' = '%s' OR princ = '%s') LIMIT 1"; /** Delete query used to clean up the database before loading new users */ diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.h b/server/modules/authenticator/MySQLAuth/mysql_auth.h index b63109900..2f4c6d986 100644 --- a/server/modules/authenticator/MySQLAuth/mysql_auth.h +++ b/server/modules/authenticator/MySQLAuth/mysql_auth.h @@ -63,19 +63,21 @@ static const char pragma_sql[] = "PRAGMA JOURNAL_MODE=NONE"; /** Query that checks if there's a grant for the user being authenticated */ static const char mysqlauth_validate_user_query[] = "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME - " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)" + " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host)" + " AND (anydb = '1' OR '%s' IN ('', 'information_schema') OR '%s' LIKE db)" " LIMIT 1"; /** Query that checks if there's a grant for the user being authenticated */ static const char mysqlauth_validate_user_query_lower[] = "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME - " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR LOWER('%s') LIKE LOWER(db))" + " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host)" + " AND (anydb = '1' OR LOWER('%s') IN ('', 'information_schema') OR LOWER('%s') LIKE LOWER(db)" " LIMIT 1"; /** Query that only checks if there's a matching user */ static const char mysqlauth_skip_auth_query[] = "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME - " WHERE user = '%s' AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)" + " WHERE user = '%s' AND (anydb = '1' OR '%s' IN ('', 'information_schema') OR '%s' LIKE db)" " LIMIT 1"; /** Query that checks that the database exists */ diff --git a/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc b/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc index 82cdd7c05..12818d2fc 100644 --- a/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc +++ b/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc @@ -307,7 +307,7 @@ void PamClientSession::get_pam_user_services(const DCB* dcb, const MYSQL_session string services_query = string("SELECT authentication_string FROM ") + m_instance.m_tablename + " WHERE " + FIELD_USER + " = '" + session->user + "'" + " AND '" + dcb->remote + "' LIKE " + FIELD_HOST - + " AND (" + FIELD_ANYDB + " = '1' OR '" + session->db + "' = '' OR '" + + " AND (" + FIELD_ANYDB + " = '1' OR '" + session->db + "' IN ('information_schema', '') OR '" + session->db + "' LIKE " + FIELD_DB + ")" + " AND " + FIELD_PROXY + " = '0' ORDER BY authentication_string;"; MXS_DEBUG("PAM services search sql: '%s'.", services_query.c_str());