mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-15 19:42:28 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDEV-34854 Parsec sends garbage when using an empty password

Browse source 
When an empty password is set, the server doesn't call
st_mysql_auth::hash_password and leaves MYSQL_SERVER_AUTH_INFO::auth_string
empty.

Fix:
generate hashes by calling hash_password for empty passwords as well. This
changes the api behavior slightly, but since even old plugins support it,
we can ignore this.

Some empty passwords could be already stored with no salt, though. The user
will have to call SET PASSWORD once again, anyway the authentication wouldn't
have worked for such password.
This commit is contained in:
Nikita Malyavin 2024-09-04 19:57:45 +02:00 committed by Oleksandr Byelkin
parent 9e1fb104a3
commit 583a5a79c9
3 changed files with 33 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
mysql-test/suite/plugins/r/parsec.result
View file

@ -28,3 +28,18 @@ test.have_ssl()
yes
drop function have_ssl;
drop user test1@'%';
# MDEV-34854 Parsec sends garbage when using an empty password
create user test2@'%' identified via parsec using PASSWORD('');
show grants for test2@'%';
Grants for test2@%
GRANT USAGE ON *.* TO `test2`@`%` IDENTIFIED VIA parsec USING 'P0:salt:password'
connect con4, localhost, test2,;
select 4, USER(), CURRENT_USER();
4 USER() CURRENT_USER()
4 test2@localhost test2@%
disconnect con4;
connect(localhost,test2,wrong_pwd,test,MASTER_MYPORT,MASTER_MYSOCK);
connect con5, localhost, test2, "wrong_pwd";
ERROR 28000: Access denied for user 'test2'@'localhost' (using password: NO)
connection default;
drop user test2@'%';

15
mysql-test/suite/plugins/t/parsec.test
View file

@ -43,3 +43,18 @@ if ($MTR_COMBINATION_WIN) {
drop function have_ssl;
drop user test1@'%';
--echo # MDEV-34854 Parsec sends garbage when using an empty password
create user test2@'%' identified via parsec using PASSWORD('');
--replace_regex /:[A-Za-z0-9+\/]{43}'/:password'/ /:[A-Za-z0-9+\/]{24}:/:salt:/
show grants for test2@'%';
connect con4, localhost, test2,;
select 4, USER(), CURRENT_USER();
disconnect con4;
--replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT
--error ER_ACCESS_DENIED_ERROR
connect con5, localhost, test2, "wrong_pwd";
connection default;
drop user test2@'%';

5
sql/sql_acl.cc
View file

@ -2401,7 +2401,8 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user,
res= ER_NOT_VALID_PASSWORD;
goto end;
}
if (pwtext.length)
if (!auth->auth_string.length)
{
if (info->hash_password)
{
@ -2416,7 +2417,7 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user,
auth->auth_string.str= (char*)memdup_root(&acl_memroot, buf, len+1);
auth->auth_string.length= len;
}
else
else if (pwtext.length)
{
res= ER_SET_PASSWORD_AUTH_PLUGIN;
goto end;