Issue Details (XML | Word | Printable)

Key: CORE-5277
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Adriano dos Santos Fernandes
Reporter: Pavel Zotov
Votes: 0
Watchers: 3
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Parameters with multibyte character sets allow to bypass the character limit of varchar fields

Created: 13/Jun/16 01:24 PM   Updated: 13/Jul/16 03:19 PM
Component/s: Engine
Affects Version/s: 4.0 Initial, 3.0.0
Fix Version/s: 3.0.1, 4.0 Alpha 1

Issue Links:
Relate
 

QA Status: Done successfully


 Description  « Hide
Simple test case:

isql t.fdb -ch utf8

recreate table t (c varchar(2) character set utf8);

set bulk_insert INSERT INTO T VALUES (?);
--
('abcdefgh')
stop

I suppose 2.5 is also susceptible with a different test case.

------------

Original test case:

CREATE USER <name> allows to specify <name> with length more than 64 characters,which lead to failure when we further execute SELECT * FROM SEC$USERS or SHOW USERS

1) Stop FB server, take empty (non-initialized) security4.fdb and enter command:

C:\MIX\firebird\fb40> echo create user sysdba password 'masterke'; show users; | C:\MIX\firebird\fb40\isql -q -z C:\MIX\firebird\fb40\security4.fdb
ISQL Version: WI-T4.0.0.248 Firebird 4.0 Unstable
Server version:
WI-T4.0.0.248 Firebird 4.0 Unstable
Users in the database
  2 #SYSDBA

2) Start FB server

3) Run:
C:\MIX\firebird\fb40>C:\MIX\firebird\fb40\isql -q
SQL> create database 'localhost:c:\temp\tmp201606131619.fdb' user sysdba password 'masterke';
SQL> create or alter user
CON> u2345678901234567890123456789012345678901234567890123456789012345 password 'q';
SQL> commit;

SQL> create or alter user
CON> z234567890123456789012345678901234567890123456789012345678901234567890 password 'z';
SQL> commit;
SQL> set list on;
SQL> select * from sec$users;

Statement failed, SQLSTATE = 22001
find/display record error
-arithmetic exception, numeric overflow, or string truncation
-string right truncation
-expected length 64, actual 65
SQL> show users;
Statement failed, SQLSTATE = 22001
find/display record error
-arithmetic exception, numeric overflow, or string truncation
-string right truncation
-expected length 64, actual 65
Command error: show users

Why exception did not raise when we issued first 'create user' command (before commit) ?


 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Pavel Zotov added a comment - 13/Jun/16 01:34 PM
PS.

DDL of sec$users now allows to store user name in 64 UTF8 characters:


C:\MIX\firebird\QA\fbt-repo\tmp>echo show table sec$users;|isql /:e40
SEC$USER_NAME (RDB$USER) CHAR(64) CHARACTER SET UTF8 Nullable
SEC$FIRST_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UTF8 Nullable
SEC$MIDDLE_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UTF8 Nullable
SEC$LAST_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UTF8 Nullable
...

This new (increased) limit explains why following statement passes without error:

create or alter user
u2345678901234567890123456789012345678901234567890123456789012345u2345678901234567890123456789012345678901234567890123456789012345u2345678901234567890123456789012345678901234567890123456789012345u23456789012345678901234567890123456789012345678901234567890
password 'A';

(length of login = 255 bytes).

So, now i think that there is no error when we add new user with long name, rather command SHOW USERS and query to SEC$USERS should be fixed.

Is it correct guess ?

Adriano dos Santos Fernandes added a comment - 14/Jun/16 01:40 AM
Edited as the source of the problem has nothing to do with CREATE USER.