backport #43748, applying commits 70359 and 70377

17 years ago · 80d982eb98
3 changed files with 27 additions and 1 deletions
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@ -2125,6 +2125,13 @@ void Security_context::skip_grants()
 }


+bool Security_context::user_matches(Security_context *them)
+{
+  return ((user != NULL) && (them->user != NULL) &&
+          !strcmp(user, them->user));
+}
+
+
 /****************************************************************************
  Handling of open and locked tables states.

--- a/sql/sql_class.h
+++ b/sql/sql_class.h
@ -978,6 +978,7 @@ public:
  {
    return (*priv_host ? priv_host : (char *)"%");
  }
+  bool user_matches(Security_context *);
 };


--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -7339,8 +7339,26 @@ void kill_one_thread(THD *thd, ulong id, bool only_kill_query)
  VOID(pthread_mutex_unlock(&LOCK_thread_count));
  if (tmp)
  {
+
+    /*
+      If we're SUPER, we can KILL anything, including system-threads.
+      No further checks.
+
+      KILLer: thd->security_ctx->user could in theory be NULL while
+      we're still in "unauthenticated" state. This is a theoretical
+      case (the code suggests this could happen, so we play it safe).
+
+      KILLee: tmp->security_ctx->user will be NULL for system threads.
+      We need to check so Jane Random User doesn't crash the server
+      when trying to kill a) system threads or b) unauthenticated users'
+      threads (Bug#43748).
+
+      If user of both killer and killee are non-NULL, proceed with
+      slayage if both are string-equal.
+    */
+
    if ((thd->security_ctx->master_access & SUPER_ACL) ||
-	!strcmp(thd->security_ctx->user, tmp->security_ctx->user))
+        thd->security_ctx->user_matches(tmp->security_ctx))
    {
      tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION);
      error=0;