Bug #837 Incorrect authentication with old client and same length user/db names
Submitted: 13 Jul 2003 8:05 Modified: 27 Sep 2008 8:11
Reporter: [ name withheld ] Email Updates:
Status: Can't repeat Impact on me:
Category:MySQL Server Severity:S2 (Serious)
Version:4.1 OS:Linux (Linux)
Assigned to: CPU Architecture:Any
Tags: affects_connectors

[13 Jul 2003 8:05] [ name withheld ]
When using MySQL 4.1 with old passwords and an old (pre-4.1) client, 
authentication fails in odd ways if multiple users or databases have names of
the same length.
I have tested this when using MySQL 4.1 server on Linux and the Windows binary 
distribution of MySQL Control Center client 0.9.2, and with the MySQL client
version 3.23.49 on NetBSD. The server was configured with the following
options: --prefix=/usr/local/mysql --with-extra-charsets=all

The problems which occur when using an old client are not clearly
defined, but some of the problems I observed are:
-When logged in as fusio, you can access both databases fusio and aaaaa
and vice versa
-When logged in as fusio or aaaaa you cannot access either database

This seems rather serious, as users can incorrectly access other users'

When the only databases and users that exist have names with different
lengths, (e.g. aaaaa and aaaaaa) the problem does not seem to occur.

The problems do not occur when using the MySQL 4.1 client and when using old
or new passwords.

How to repeat:
To set up my test case, install MySQL 4.1, run mysql_install_db, run the server
with mysqld_safe --skip-innodb , run the mysql 4.1 client and issue the
following commands:

use mysql
grant all on aaaaa.* to aaaaa identified by 'foo';
grant all on fusio.* to fusio identified by 'foo';
update user set Password=old_password('foo') where User='aaaaa';
update user set Password=old_password('foo') where User='fusio';
flush privileges;

To test, run an old MySQL client like this:
mysql -u fusio -p
mysql -u aaaaa -p

then try:
create database fusio;
create database aaaaa;

Or try the same operations using the Windows binary distribution of MySQL
Control Center version 0.9.2

Depending on how it failed, neither or both of the above will work.
Running flush privileges *while a user is logged in* seems to modify
the way in which it fails sometimes.

I can answer any questions or provide a MySQL server on the internet that
exhibits the problem if asked. My email address is
Mario Becroft <mb@gem.win.co.nz>

Suggested fix:
Not known.
[13 Jul 2003 8:07] [ name withheld ]
I forgot to mention that the problem also occurs with the latest
development version obtained from bitkeeper as of Sun Jul 13.
[14 Jul 2003 1:57] Sergei Golubchik
authentification protocol in 4.1 is being changed for 4.1.1.
Let's return to this bug when it'll be done.
[27 Sep 2008 8:11] Konstantin Osipov
This bug relates to 4.1 version of authentication that never went GA -- it was rewritten in 4.1.1 by yours truly.
I have insufficient information to repeat the bug now, and suspect it never applied to the new implementation.