Merge branch 'mysql-5.5' into mysql-5.6

(cherry picked from commit 3084723f76d19990f3573c5ec614709f567df78b)

Author: ssorumgard

sql/log.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1494,6 +1494,78 @@ bool MYSQL_LOG::init_and_set_log_file_name(const char *log_name,
 }
 
 
+bool is_valid_log_name(const char *name, size_t len)
+{
+  if (len > 3)
+  {
+    const char *tail= name + len - 4;
+    if (my_strcasecmp(system_charset_info, tail, ".ini") == 0 ||
+        my_strcasecmp(system_charset_info, tail, ".cnf") == 0)
+    {
+      return false;
+    }
+  }
+  return true;
+}
+
+
+/**
+  Get the real log file name, and possibly reopen file.
+
+  Use realpath() to get the path with symbolic links
+  expanded. Then, close the file, and reopen the real path using the
+  O_NOFOLLOW flag. This will reject following symbolic links.
+
+  @param          file                  File descriptor.
+  @param          log_file_key          Key for P_S instrumentation.
+  @param          open_flags            Flags to use for opening the file.
+  @param          opened_file_name      Name of the open fd.
+
+  @retval file descriptor to open file with 'real_file_name', or '-1'
+          in case of errors.
+*/
+
+#ifndef _WIN32
+static File mysql_file_real_name_reopen(File file,
+#ifdef HAVE_PSI_INTERFACE
+                                        PSI_file_key log_file_key,
+#endif
+                                        int open_flags,
+                                        const char *opened_file_name)
+{
+  DBUG_ASSERT(file);
+  DBUG_ASSERT(opened_file_name);
+
+  /* Buffer for realpath must have capacity for PATH_MAX. */
+  char real_file_name[PATH_MAX];
+
+  /* Get realpath, validate, open realpath with O_NOFOLLOW. */
+  if (realpath(opened_file_name, real_file_name) == NULL)
+  {
+    (void) mysql_file_close(file, MYF(0));
+    return -1;
+  }
+
+  if (mysql_file_close(file, MYF(0)))
+    return -1;
+
+  if (strlen(real_file_name) > FN_REFLEN)
+    return -1;
+
+  if (!is_valid_log_name(real_file_name, strlen(real_file_name)))
+  {
+    sql_print_error("Invalid log file name after expanding symlinks: '%s'",
+                    real_file_name);
+    return -1;
+  }
+
+  return mysql_file_open(log_file_key, real_file_name,
+                         open_flags | O_NOFOLLOW,
+                         MYF(MY_WME | ME_WAITTANG));
+}
+#endif // _WIN32
+
+
 /*
   Open a (new) log file.
 
@@ -1564,6 +1636,18 @@ bool MYSQL_LOG::open(
                              MYF(MY_WME | ME_WAITTANG))) < 0)
     goto err;
 
+#ifndef _WIN32
+  /* Reopen and validate path. */
+  if ((log_type_arg == LOG_UNKNOWN || log_type_arg == LOG_NORMAL) &&
+      (file= mysql_file_real_name_reopen(file,
+#ifdef HAVE_PSI_INTERFACE
+                                         log_file_key,
+#endif
+                                         open_flags,
+                                         log_file_name)) < 0)
+    goto err;
+#endif // _WIN32
+
   if ((pos= mysql_file_tell(file, MYF(MY_WME))) == MY_FILEPOS_ERROR)
   {
     if (my_errno == ESPIPE)

sql/log.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -578,6 +578,16 @@ bool flush_error_log();
 
 char *make_log_name(char *buff, const char *name, const char* log_ext);
 
+/**
+  Check given log name against certain blacklisted names/extensions.
+
+  @param name     Log name to check
+  @param len      Length of log name
+
+  @returns true if name is valid, false otherwise.
+*/
+bool is_valid_log_name(const char *name, size_t len);
+
 extern LOGGER logger;
 
 #endif /* LOG_H */

sql/mysqld.cc

@@ -4111,6 +4111,22 @@ int init_common_variables()
   if (!opt_slow_logname || !*opt_slow_logname)
     opt_slow_logname= make_default_log_name(slow_logname_path, "-slow.log");
 
+  if (opt_logname &&
+      !is_valid_log_name(opt_logname, strlen(opt_logname)))
+  {
+    sql_print_error("Invalid value for --general_log_file: %s",
+                    opt_logname);
+    return 1;
+  }
+
+  if (opt_slow_logname &&
+      !is_valid_log_name(opt_slow_logname, strlen(opt_slow_logname)))
+  {
+    sql_print_error("Invalid value for --slow_query_log_file: %s",
+                    opt_slow_logname);
+    return 1;
+  }
+
 #if defined(ENABLED_DEBUG_SYNC)
   /* Initialize the debug sync facility. See debug_sync.cc. */
   if (debug_sync_init())

sql/sys_vars.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -3682,6 +3682,14 @@ static bool check_log_path(sys_var *self, THD *thd, set_var *var)
   if (!var->save_result.string_value.str)
     return true;
 
+  if (!is_valid_log_name(var->save_result.string_value.str,
+                         var->save_result.string_value.length))
+  {
+    my_error(ER_WRONG_VALUE_FOR_VAR, MYF(0),
+             self->name.str, var->save_result.string_value.str);
+    return true;
+  }
+
   if (var->save_result.string_value.length > FN_REFLEN)
   { // path is too long
     my_error(ER_PATH_LENGTH, MYF(0), self->name.str);
@@ -3728,7 +3736,7 @@ static bool check_log_path(sys_var *self, THD *thd, set_var *var)
   return false;
 }
 static bool fix_log(char** logname, const char* default_logname,
-                    const char*ext, bool enabled, void (*reopen)(char*))
+                    const char*ext, bool enabled, bool (*reopen)(char*))
 {
   if (!*logname) // SET ... = DEFAULT
   {
@@ -3740,16 +3748,17 @@ static bool fix_log(char** logname, const char* default_logname,
   }
   logger.lock_exclusive();
   mysql_mutex_unlock(&LOCK_global_system_variables);
+  bool error= false;
   if (enabled)
-    reopen(*logname);
+    error= reopen(*logname);
   logger.unlock();
   mysql_mutex_lock(&LOCK_global_system_variables);
-  return false;
+  return error;
 }
-static void reopen_general_log(char* name)
+static bool reopen_general_log(char* name)
 {
   logger.get_log_file_handler()->close(0);
-  logger.get_log_file_handler()->open_query_log(name);
+  return logger.get_log_file_handler()->open_query_log(name);
 }
 static bool fix_general_log_file(sys_var *self, THD *thd, enum_var_type type)
 {
@@ -3762,10 +3771,10 @@ static Sys_var_charptr Sys_general_log_path(
        IN_FS_CHARSET, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG,
        ON_CHECK(check_log_path), ON_UPDATE(fix_general_log_file));
 
-static void reopen_slow_log(char* name)
+static bool reopen_slow_log(char* name)
 {
   logger.get_slow_log_file_handler()->close(0);
-  logger.get_slow_log_file_handler()->open_slow_log(name);
+  return logger.get_slow_log_file_handler()->open_slow_log(name);
 }
 static bool fix_slow_log_file(sys_var *self, THD *thd, enum_var_type type)
 {