Bug #49752 2469.126.2 unintentionally breaks authentication against MySQL 5.1 server
Submitted: 16 Dec 2009 23:18 Modified: 10 Jan 2011 3:23
Reporter: John Lightsey Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.1.40, 5.1 bzr OS:Any
Assigned to: Tatiana Azundris Nuernberg
Tags: username authentication multibyte
Triage: Triaged: D3 (Medium)

[16 Dec 2009 23:18] John Lightsey
Description:
In revno 2469.126.2 the fix for bug #21432 is changed so that USERNAME_LENGTH is swapped from

#define USERNAME_LENGTH 16

to

#define USERNAME_LENGTH         (USERNAME_CHAR_LENGTH*SYSTEM_CHARSET_MBMAXLEN)

USERNAME_LENGTH is used in sql/sql_connect.cc to create a buffer that the supplied user is transfered into.

With versions of MySQL prior to this change, the 16 character buffer had the effect of truncating any supplied ascii username to the 16 characters MySQL actually stores for usernames.  This meant that "testtesttest12345678" was actually trimmed to "testtesttest1234" before the credentials were checked.

With this change, no truncation of the supplied username takes place, so previously valid authentication credentials now fail to connect.

How to repeat:
Create user on MySQL 5.0 server with 16 character username, then connect with 17 character username.

Create user on MySQL 5.1 server with 16 character username, then fail to connect with 17 character username.

Suggested fix:
It would be helpful to have the pre-5.1 behavior of truncating the supplied usernames to match the length of the stored username field be the default or available as a compatibility option.
[17 Dec 2009 11:09] Sveta Smirnova
Thank you for the report.

Verified as described. Probably adding option is good idea.
[11 Jun 2010 6:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/110786

3422 Tatiana A. Nurnberg	2010-06-11
      Bug #49752: 2469.126.2 unintentionally breaks authentication against
                  MySQL 5.1 server
      
      Server used to clip overly long user-names. This was presumably lost
      when code was made UTF8-clean.
      
      Now we emulate the behaviour for backward compatibility, but UTF8-ly
      correct, and only when we're not in STRICT mode.
     @ mysql-test/r/connect.result
        Show that user-names that are too long get clipped in lenient mode now,
        but throw an error in strict mode.
     @ mysql-test/t/connect.test
        Show that user-names that are too long get clipped in lenient mode now,
        but throw an error in strict mode.
     @ sql/sql_connect.cc
        Clip user-name to 16 characters (not bytes) when not in STRICT mode.
[28 Jun 2010 8:18] Konstantin Osipov
Bar, could you please check the patch?
I, however, disagree that we need to take into account STRICT mode.
[1 Jul 2010 6:16] Alexander Barkov
Hi Tatjana,

The patch http://lists.mysql.com/commits/112642 looks fine.

Please check coding style, there should be a space in between
"(uint)" and "cs->...", like this:

+    user_len= (uint) cs->cset->well_formed_len(cs, user, user + user_len,
+                                               USERNAME_CHAR_LENGTH, &err);

That's right, well_formed_len() does not do any special about
'\0' bytes. But you don't need anything here, because the strdend()
call above will make sure there are no '\0' bytes.

Thanks for the suggestion about CHARSET_INFO.txt. Feel free to update it
in the same patch.

My "ok to push" after coding style clean-ups.

Will you ask Kosja to be the second reviewer?
[2 Jul 2010 4:55] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/112714

3422 Tatiana A. Nurnberg	2010-07-02
      Bug #49752: 2469.126.2 unintentionally breaks authentication against
                  MySQL 5.1 server
      
      Server used to clip overly long user-names. This was presumably lost
      when code was made UTF8-clean.
      
      Now we emulate the behaviour for backward compatibility, but UTF8-ly
      correct.
     @ mysql-test/r/connect.result
        Show that user-names that are too long get clipped now.
     @ mysql-test/t/connect.test
        Show that user-names that are too long get clipped now.
     @ sql/sql_connect.cc
        Clip user-name to 16 characters (not bytes).
[5 Dec 2010 12:38] Bugs System
Pushed into mysql-trunk 5.6.1 (revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (version source revid:alexander.nozdrin@oracle.com-20101205122447-6x94l4fmslpbttxj) (merge vers: 5.6.1) (pib:23)
[15 Dec 2010 0:51] Paul Dubois
Bug does not appear in any released 5.6.x version.

Setting report to Need Merge pending push to other trees.
[17 Dec 2010 12:47] Bugs System
Pushed into mysql-5.1 5.1.55 (revid:georgi.kodinov@oracle.com-20101217124435-9imm43geck5u55qw) (version source revid:mats.kindahl@oracle.com-20101201193331-1c07sjno2g7m46ix) (merge vers: 5.1.55) (pib:24)
[17 Dec 2010 12:54] Bugs System
Pushed into mysql-5.5 5.5.9 (revid:georgi.kodinov@oracle.com-20101217124733-p1ivu6higouawv8l) (version source revid:azundris@mysql.com-20101125035016-iwt4adcyfgdvak7v) (merge vers: 5.5.8) (pib:24)
[10 Jan 2011 3:23] Paul Dubois
Noted in 5.1.55, 5.5.9 changelogs.

If a client supplied a user name longer than the maximum 16
characters allowed for names stored in the MySQL grant tables, all
characters were being considered significant. Historically, only the
first 16 characters were used to check for a match; this behavior was
restored.