php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #69669
Patch backronym-5.4 revision 2015-07-05 07:07 UTC by stas@php.net
Patch backronym revision 2015-06-17 11:40 UTC by andrey@php.net

Patch backronym-5.4 for mysql Bug #69669

Patch version 2015-07-05 07:07 UTC

Return to Bug #69669 | Download this patch
Patch Revisions:

Developer: stas@php.net

commit a46bae2df257ec9bbc601204c73a8f7b103edee1
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Jul 5 00:00:53 2015 -0700

    Fix bug #69669 (mysqlnd is vulnerable to BACKRONYM)

diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c
index d265dfd..1c4a771 100644
--- a/ext/mysqlnd/mysqlnd.c
+++ b/ext/mysqlnd/mysqlnd.c
@@ -446,7 +446,11 @@ mysqlnd_switch_to_ssl_if_needed(
 	}
 
 #ifdef MYSQLND_SSL_SUPPORTED
-	if ((greet_packet->server_capabilities & CLIENT_SSL) && (mysql_flags & CLIENT_SSL)) {
+	if (mysql_flags & CLIENT_SSL) {
+		zend_bool server_has_ssl = (greet_packet->server_capabilities & CLIENT_SSL)? TRUE:FALSE;
+		if (server_has_ssl == FALSE) {
+			goto close_conn;
+		} else {
 			zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE;
 			DBG_INF("Switching to SSL");
 			if (!PACKET_WRITE(auth_packet, conn)) {
@@ -461,11 +465,24 @@ mysqlnd_switch_to_ssl_if_needed(
 				goto end;
 			}
 		}
+	}
+#else
+	auth_packet->client_flags &= ~CLIENT_SSL;
+	if (!PACKET_WRITE(auth_packet, conn)) {
+		goto close_conn;
+	}
 #endif
 	ret = PASS;
 end:
 	PACKET_FREE(auth_packet);
 	DBG_RETURN(ret);
+
+close_conn:
+	CONN_SET_STATE(conn, CONN_QUIT_SENT);
+	conn->m->send_close(conn);
+	SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone);
+	PACKET_FREE(auth_packet);
+	DBG_RETURN(ret);
 }
 /* }}} */
 
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Mar 21 17:01:28 2019 UTC