MDEV-40159: Complete priv escalation for low priv user upon backup re…#5285
MDEV-40159: Complete priv escalation for low priv user upon backup re…#5285sanja-byelkin wants to merge 1 commit into
Conversation
|
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses a SQL injection vulnerability where a low-privilege user could inject malicious SQL commands via a crafted DATA DIRECTORY path containing unescaped single quotes. The fix replaces packet->append with packet->append_for_single_quote in sql/sql_show.cc to ensure directory paths are properly escaped. A new test case has been added to verify the fix. I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR addresses MDEV-40159, closing a privilege-escalation path where a low-privilege user can inject SQL via DATA DIRECTORY/INDEX DIRECTORY values that are later re-emitted (e.g., via SHOW CREATE TABLE / mysqldump) and executed during restore by a higher-privileged user.
Changes:
- Escape directory paths when emitting
DATA DIRECTORY/INDEX DIRECTORYinsql/sql_show.cc. - Add a new mysql-test regression case (
mysqldump-exploit) to validate the exploit is prevented.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
sql/sql_show.cc |
Changes directory path emission to use single-quote-aware escaping when generating CREATE statements. |
mysql-test/main/mysqldump-exploit.test |
Adds a regression test that attempts to plant an injected directory path and verifies the backdoor user is not created on restore. |
mysql-test/main/mysqldump-exploit.result |
Captures expected output for the new regression test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| filename= winfilename; | ||
| #endif | ||
| packet->append(filename, length); | ||
| packet->append_for_single_quote(filename, length); | ||
| packet->append('\''); | ||
| } |
| CREATE DATABASE restoreddb; | ||
| --exec $MYSQL restoreddb < $MYSQLTEST_VARDIR/tmp/m40159_dump.sql 2>/dev/null | ||
|
|
||
| # The backdoor admin now exists with GRANT ALL PRIVILEGES ON *.*. |
| --source include/have_innodb.inc | ||
| --source include/have_symlink.inc | ||
|
|
sanja-byelkin
force-pushed
the
10.6-MDEV-40159
branch
from
bd33b6e to
4aaebfc
Compare
Correct append function called for value in quotes
sanja-byelkin
force-pushed
the
10.6-MDEV-40159
branch
from
4aaebfc to
b95c40e
Compare
…store: DATA/INDEX DIRECTORY, symlinks
Correct append function called vor walue in quotes