MXS-1345: Allow an empty list of functions

The function type rule now accepts an empty list of functions, allowing all functions to be blocked by defining an empty function type rule and setting action=allow.
2017-08-09 13:35:24 +03:00 · 2017-08-09 13:35:24 +03:00 · ebe9596966
commit ebe9596966
parent 0d2514b9ce
2 changed files with 7 additions and 0 deletions
--- a/Documentation/Filters/Database-Firewall-Filter.md
+++ b/Documentation/Filters/Database-Firewall-Filter.md
@ -165,6 +165,12 @@ matched. The symbolic comparison operators (`<`, `>`, `>=` etc.) are also
 considered functions whereas the text versions (`NOT`, `IS`, `IS NOT` etc.) are
 not considered functions.

+If the rule is given no values then the rule will match any query which does not
+use functions. By combining this with the `action=allow` parameter, it is
+possible to enable whitelisting of all queries which do not use functions. One
+such use case is preventing functions from being used to circumvent masking done
+by the masking filter.
+
 When the filter is in whitelist mode (`action=allow`) the function rule
 will match any query that does not use a function. This means that queries
 that do not use functions will be allowed through a function type rule.
--- a/server/modules/filter/dbfwfilter/ruleparser.y
+++ b/server/modules/filter/dbfwfilter/ruleparser.y
@ -114,6 +114,7 @@ mandatory:
    | FWTOK_REGEX FWTOK_QUOTEDSTR {if (!define_regex_rule(scanner, $2)){YYERROR;}}
    | FWTOK_COLUMNS columnlist
    | FWTOK_FUNCTION functionlist
+    | FWTOK_FUNCTION {if (!define_function_rule(scanner, "")){YYERROR;}}
    ;

 columnlist: