Hello Serg,

On Fri, Apr 29, 2016 at 8:20 AM, Sergei Golubchik <serg@mariadb.org> wrote:

Hi, Nirbhay!

On Mar 31, Nirbhay Choubey wrote:
> revision-id: f9f290b6828eeb57cba611d006d2a9301dc52244 (mariadb-10.1.13-3-gf9f290b)
> parent(s): f4d5fe277599da4549c97c660f324c88cf9a2542
> author: Nirbhay Choubey
> committer: Nirbhay Choubey
> timestamp: 2016-03-31 18:03:44 -0400
> message:
>
> MDEV-9851: CREATE USER w/o IDENTIFIED BY clause causes crash when using cracklib plugin
>
> Add a check for NULL password.
>
> diff --git a/plugin/cracklib_password_check/cracklib_password_check.c b/plugin/cracklib_password_check/cracklib_password_check.c
> index c593173..c192cdf 100644
> --- a/plugin/cracklib_password_check/cracklib_password_check.c
> +++ b/plugin/cracklib_password_check/cracklib_password_check.c
> @@ -33,7 +33,8 @@ static int crackme(MYSQL_LEX_STRING *username, MYSQL_LEX_STRING *password)
> if ((host= strchr(user, '@')))
> *host++= 0;
>
> - if ((res= FascistCheckUser(password->str, dictionary, user, host)))
> + if ((password->str == NULL) || // No password
> + (res= FascistCheckUser(password->str, dictionary, user, host)))
> {
> my_printf_error(ER_NOT_VALID_PASSWORD, "cracklib: %s",
> MYF(ME_JUST_WARNING), res);

You forgot to fix the simple_password_check plugin.

simple_password_check plugin was immune indirectly because of the following check:

if (strncmp(password->str, username->str, password->length) == 0)

return 1;

And if all plugins
need to do the same check - it's a strong indication that this should've
been done in the server.

I agree.

So, please, fix this in sql_acl.cc instead. Like this:

- struct validation_data data= { &user->user, &user->pwtext };
+ struct validation_data data= { &user->user, user->pwtext.str ? &user->pwtext : &empy_lex_str };

Ok to push with this fix and your test case.

Done.

Best,

Nirbhay

Regards,
Sergei
Chief Architect MariaDB
and security@mariadb.org