Back-ported upstream patch for CVE-2008-4456 (mysql command line client XSS flaw) --- upstream bug #27884. diff -Naur mysql-5.0.77.orig/client/mysql.cc mysql-5.0.77/client/mysql.cc --- mysql-5.0.77.orig/client/mysql.cc 2009-01-29 16:41:57.000000000 -0500 +++ mysql-5.0.77/client/mysql.cc 2009-05-25 13:19:49.000000000 -0400 @@ -3346,9 +3346,12 @@ { while((field = mysql_fetch_field(result))) { - tee_fprintf(PAGER, "<TH>%s</TH>", (field->name ? - (field->name[0] ? field->name : - " ") : "NULL")); + tee_fputs("<TH>", PAGER); + if (field->name && field->name[0]) + xmlencode_print(field->name, field->name_length); + else + tee_fputs(field->name ? " " : "NULL", PAGER); + tee_fputs("</TH>", PAGER); } (void) tee_fputs("</TR>", PAGER); } @@ -3359,7 +3362,7 @@ for (uint i=0; i < mysql_num_fields(result); i++) { (void) tee_fputs("<TD>", PAGER); - safe_put_field(cur[i],lengths[i]); + xmlencode_print(cur[i], lengths[i]); (void) tee_fputs("</TD>", PAGER); } (void) tee_fputs("</TR>", PAGER); diff -Naur mysql-5.0.77.orig/mysql-test/r/mysql.result mysql-5.0.77/mysql-test/r/mysql.result --- mysql-5.0.77.orig/mysql-test/r/mysql.result 2009-01-29 17:38:17.000000000 -0500 +++ mysql-5.0.77/mysql-test/r/mysql.result 2009-05-25 13:19:49.000000000 -0400 @@ -186,4 +186,5 @@ 2 2 2 +<TABLE BORDER=1><TR><TH><</TH></TR><TR><TD>< & ></TD></TR></TABLE> End of 5.0 tests diff -Naur mysql-5.0.77.orig/mysql-test/t/mysql.test mysql-5.0.77/mysql-test/t/mysql.test --- mysql-5.0.77.orig/mysql-test/t/mysql.test 2009-01-29 17:37:54.000000000 -0500 +++ mysql-5.0.77/mysql-test/t/mysql.test 2009-05-25 13:20:20.000000000 -0400 @@ -309,4 +309,10 @@ --exec $MYSQL -c < $MYSQLTEST_VARDIR/tmp/bug38158.sql 2>&1 remove_file $MYSQLTEST_VARDIR/tmp/bug38158.sql; +# +# Bug #27884: mysql --html does not quote HTML special characters in output +# +--exec $MYSQL --html test -e "select '< & >' as \`<\`" +--echo + --echo End of 5.0 tests