[MDEV-12241] unusual values in enums subvert SHOW CREATE TABLE and DESCRIBE Created: 2017-03-13  Updated: 2020-12-01

Status: Confirmed
Project: MariaDB Server
Component/s: None
Affects Version/s: 5.5, 10.0, 10.1, 10.1.19, 10.2
Fix Version/s: 10.2

Type: Bug Priority: Major
Reporter: Eric Herman Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: upstream


 Description   

If I add backspaces, a literal 0x00, or other unusual characters to an enum value, I can see very strange results:

MariaDB [test]> select version();
 
+-----------------+
 
| version()       |
 
+-----------------+
 
| 10.1.19-MariaDB |
 
+-----------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [test]> create table t1(id int, e enum('foo', 'bar', 0x08080808080808, 'whiz', 'bang', 0x00, 'hello') NOT NULL) engine=innodb;
 
Query OK, 0 rows affected (0.25 sec)
 
 
 
MariaDB [test]> show create table t1\G
 
*************************** 1. row ***************************
 
       Table: t1
 
Create Table: CREATE TABLE `t1` (
 
  `id` int(11) DEFAULT NULL,
 
  `e` enum('foo',','whiz','bang') NOT NULL
 
) ENGINE=InnoDB DEFAULT CHARSET=latin1
 
1 row in set (0.00 sec)
 
 
 
MariaDB [test]> describe t1\G
 
*************************** 1. row ***************************
 
  Field: id
 
   Type: int(11)
 
   Null: YES
 
    Key: 
Default: NULL
 
  Extra: 
*************************** 2. row ***************************
 
  Field: e
 
   Type: enum('foo',','whiz','bang')
 
   Null: NO
 
    Key: 
Default: NULL
 
  Extra: 
2 rows in set (0.00 sec)

I can only imagine it gets worse if I add FormFeed or NewLine charaters. Also I am concerned how this impacts dump-and-restore.

 Comments   
Comment by Eric Herman [ 2017-03-13 ]

regarding backup and restore: https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/

Comment by Eric Herman [ 2017-03-13 ]

With the following:

eric@hinny:~/src$ /home/eric/src/mariadb-server/client/mysql test -e "create table t10 (i int, e enum(0x50,0x00,0x02));"

In the SHOW CREATE TABLE case, the returned type is a VAR_STRING, which is fine, but I argue these values must be escaped:

eric@hinny:~/src$ /home/eric/src/mariadb-server/client/mysql  --column-type-info --table test -e "SHOW CREATE TABLE t10;"Field   1:  `Table`
 
Catalog:    `def`
 
Database:   ``
 
Table:      ``
 
Org_table:  ``
 
Type:       VAR_STRING
 
Collation:  latin1_swedish_ci (8)
 
Length:     64
 
Max_length: 3
 
Decimals:   39
 
Flags:      NOT_NULL 
 
 
Field   2:  `Create Table`
 
Catalog:    `def`
 
Database:   ``
 
Table:      ``
 
Org_table:  ``
 
Type:       VAR_STRING
 
Collation:  latin1_swedish_ci (8)
 
Length:     1024
 
Max_length: 116
 
Decimals:   39
 
Flags:      NOT_NULL 
 
 
 
 
+-------+----------------------------------------------------------------------------------------------------------------------+
 
| Table | Create Table                                                                                                         |
 
+-------+----------------------------------------------------------------------------------------------------------------------+
 
| t10   | CREATE TABLE `t10` (
 
  `i` int(11) DEFAULT NULL,
 
  `e` enum('P') DEFAULT NULL
 
) ENGINE=InnoDB DEFAULT CHARSET=latin1 |
 
+-------+----------------------------------------------------------------------------------------------------------------------+

In the DESCRIBE case, the `Type` is a BLOB, which I suggest is wrong. It should be an escaped VAR_STRING:

eric@hinny:~/src$ /home/eric/src/mariadb-server/client/mysql  --column-type-info --table test -e "describe t10;"Field   1:  `Field`
 
Catalog:    `def`
 
Database:   `information_schema`
 
Table:      `COLUMNS`
 
Org_table:  `COLUMNS`
 
Type:       VAR_STRING
 
Collation:  latin1_swedish_ci (8)
 
Length:     64
 
Max_length: 1
 
Decimals:   0
 
Flags:      NOT_NULL 
 
 
Field   2:  `Type`
 
Catalog:    `def`
 
Database:   `information_schema`
 
Table:      `COLUMNS`
 
Org_table:  `COLUMNS`
 
Type:       BLOB
 
Collation:  latin1_swedish_ci (8)
 
Length:     196605
 
Max_length: 9
 
Decimals:   0
 
Flags:      NOT_NULL BLOB 
 
 
Field   3:  `Null`
 
Catalog:    `def`
 
Database:   `information_schema`
 
Table:      `COLUMNS`
 
Org_table:  `COLUMNS`
 
Type:       VAR_STRING
 
Collation:  latin1_swedish_ci (8)
 
Length:     3
 
Max_length: 3
 
Decimals:   0
 
Flags:      NOT_NULL 
 
 
Field   4:  `Key`
 
Catalog:    `def`
 
Database:   `information_schema`
 
Table:      `COLUMNS`
 
Org_table:  `COLUMNS`
 
Type:       VAR_STRING
 
Collation:  latin1_swedish_ci (8)
 
Length:     3
 
Max_length: 0
 
Decimals:   0
 
Flags:      NOT_NULL 
 
 
Field   5:  `Default`
 
Catalog:    `def`
 
Database:   `information_schema`
 
Table:      `COLUMNS`
 
Org_table:  `COLUMNS`
 
Type:       BLOB
 
Collation:  latin1_swedish_ci (8)
 
Length:     196605
 
Max_length: 0
 
Decimals:   0
 
Flags:      BLOB 
 
 
Field   6:  `Extra`
 
Catalog:    `def`
 
Database:   `information_schema`
 
Table:      `COLUMNS`
 
Org_table:  `COLUMNS`
 
Type:       VAR_STRING
 
Collation:  latin1_swedish_ci (8)
 
Length:     30
 
Max_length: 0
 
Decimals:   0
 
Flags:      NOT_NULL 
 
 
 
 
+-------+-----------+------+-----+---------+-------+
 
| Field | Type      | Null | Key | Default | Extra |
 
+-------+-----------+------+-----+---------+-------+
 
| i     | int(11)   | YES  |     | NULL    |       |
 
| e     | enum('P') | YES  |     | NULL    |       |
 
+-------+-----------+------+-----+---------+-------+
 
eric@hinny:~/src$

Comment by Eric Herman [ 2017-03-14 ]

I see similar results in upstream: https://bugs.mysql.com/bug.php?id=85440

Comment by Elena Stepanova [ 2017-04-17 ]

Thanks for the report.

Generated at Thu Feb 08 07:56:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.