bug#11761752: DO NOT ALLOW USE OF ALTERNATE DATA STREAMS ON NTFS FILESYSTEM.

File names with colon are being disallowed because of the Alternate Data Stream (ADS) feature of NTFS that could be misused. ADS allows data to be written to alternate streams of a normal file. The data in alternate streams cannot be seen by normal tools on Windows (explorer, cmd.exe). As a result someone can use this feature to hide large amount of data in alternate streams and admins will have no easy way of figuring out the files that are using that disk space. The fix also disallows ADS in the scenarios where file name is passed as some dynamic variable. An important thing about the fix is that it DOES NOT disallow ADS file names if they are not dynamic (i.e. if the file is created by using some option that needs local access to the MySQL server, for example error log file). The reasoning is that if some MySQL option related to files requires access to the local machine (it is not dynamic), then user can very well create data in ADS by some other means. This fixes only those scenarios which can allow users to create data in ADS over the wire. File names with colon are being disallowed only on Windows. UNIX (Linux in particular) supports NTFS, but it will not be a common scenario for someone to configure a NTFS file system to store MySQL data on Linux. Changes in file bug11761752-master.opt are needed due to bug number 15937938.

bug#11761752: DO NOT ALLOW USE OF ALTERNATE DATA STREAMS ON NTFS FILESYSTEM.
File names with colon are being disallowed because of the Alternate Data Stream (ADS) feature of NTFS that could be misused. ADS allows data to be written to alternate streams of a normal file. The data in alternate streams cannot be seen by normal tools on Windows (explorer, cmd.exe). As a result someone can use this feature to hide large amount of data in alternate streams and admins will have no easy way of figuring out the files that are using that disk space. The fix also disallows ADS in the scenarios where file name is passed as some dynamic variable. An important thing about the fix is that it DOES NOT disallow ADS file names if they are not dynamic (i.e. if the file is created by using some option that needs local access to the MySQL server, for example error log file). The reasoning is that if some MySQL option related to files requires access to the local machine (it is not dynamic), then user can very well create data in ADS by some other means. This fixes only those scenarios which can allow users to create data in ADS over the wire. File names with colon are being disallowed only on Windows. UNIX (Linux in particular) supports NTFS, but it will not be a common scenario for someone to configure a NTFS file system to store MySQL data on Linux. Changes in file bug11761752-master.opt are needed due to bug number 15937938.
92582232 · Ravinder Thakur · a01e70c2 · 92582232 · 92582232 · 92582232
Commit 92582232 authored Dec 13, 2012 by Ravinder Thakur
Showing with 77 additions and 0 deletions

include/my_sys.h include/my_sys.h +1 -0

mysys/my_access.c mysys/my_access.c +61 -0

mysys/my_fopen.c mysys/my_fopen.c +5 -0

mysys/my_open.c mysys/my_open.c +7 -0

sql/set_var.cc sql/set_var.cc +3 -0

No files found.
--- a/include/my_sys.h
+++ b/include/my_sys.h
@@ -649,6 +649,7 @@ extern File my_sopen(const char *path, int oflag, int shflag, int pmode);
 #endif
 extern int check_if_legal_filename(const char *path);
 extern int check_if_legal_tablename(const char *path);
+extern my_bool is_filename_allowed(const char *name, size_t length);

 #if defined(__WIN__) && defined(__NT__)
 extern int nt_share_delete(const char *name,myf MyFlags);

--- a/mysys/my_access.c
+++ b/mysys/my_access.c
@@ -156,6 +156,67 @@ int check_if_legal_tablename(const char *name)
 }


+#ifdef __WIN__
+/**
+  Checks if the drive letter supplied is valid or not. Valid drive
+  letters are A to Z, both lower case and upper case.
+
+  @param drive_letter : The drive letter to validate.
+ 
+  @return TRUE if the drive exists, FALSE otherwise.
+*/
+static my_bool does_drive_exists(char drive_letter)
+{
+  DWORD drive_mask= GetLogicalDrives();
+  drive_letter= toupper(drive_letter);
+
+  return (drive_letter >= 'A' && drive_letter <= 'Z') &&
+         (drive_mask & (0x1 << (drive_letter - 'A')));
+}
+#endif
+
+/**
+  Verifies if the file name supplied is allowed or not. On Windows
+  file names with a colon (:) are not allowed because such file names
+  store data in Alternate Data Streams which can be used to hide 
+  the data.
+
+  @param name contains the file name with or without path
+  @param length contains the length of file name
+ 
+  @return TRUE if the file name is allowed, FALSE otherwise.
+*/
+my_bool is_filename_allowed(const char *name __attribute__((unused)),
+                            size_t length __attribute__((unused)))
+{
+#ifdef __WIN__
+  /* 
+    For Windows, check if the file name contains : character.
+    Start from end of path and search if the file name contains :
+  */
+  const char* ch = NULL;
+  for(ch= name + length - 1; ch >= name; --ch)
+  {
+    if (FN_LIBCHAR == *ch || '/' == *ch)
+      break;
+    else if (':' == *ch)
+    {
+      /*
+        File names like C:foobar.txt are allowed since the syntax means
+        file foobar.txt in current directory of C drive. However file
+        names likes CC:foobar are not allowed since this syntax means ADS
+        foobar in file CC.
+      */
+      return ((ch - name == 1) && does_drive_exists(*name));
+    }
+  }
+  return TRUE;
+#else
+  /* For other platforms, file names can contain colon : */
+  return TRUE;
+#endif
+} /* is_filename_allowed */
+
 #if defined(__WIN__) || defined(__EMX__)



--- a/mysys/my_fopen.c
+++ b/mysys/my_fopen.c
@@ -56,6 +56,11 @@ FILE *my_fopen(const char *filename, int flags, myf MyFlags)
    errno= EACCES;
    fd= 0;
  }
+  else if (!is_filename_allowed(filename, strlen(filename)))
+  {
+    errno= EINVAL;
+    fd= 0;
+  }
  else
 #endif
  {

--- a/mysys/my_open.c
+++ b/mysys/my_open.c
@@ -218,6 +218,13 @@ File my_sopen(const char *path, int oflag, int shflag, int pmode)
  DWORD fileattrib;                       /* OS file attribute flags */
  SECURITY_ATTRIBUTES SecurityAttributes;

+  if (!is_filename_allowed(path, strlen(path)))
+  {
+    errno= EINVAL;
+    _doserrno= 0L;        /* not an OS error */
+    return -1;
+  }
+
  SecurityAttributes.nLength= sizeof(SecurityAttributes);
  SecurityAttributes.lpSecurityDescriptor= NULL;
  SecurityAttributes.bInheritHandle= !(oflag & _O_NOINHERIT);

--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -2502,6 +2502,9 @@ static int  sys_check_log_path(THD *thd,  set_var *var)
    goto err;
  }

+  if (!is_filename_allowed(log_file_str, strlen(log_file_str)))
+    goto err;
+
  if (my_stat(path, &f_stat, MYF(0)))
  {
    /*