Commit 0abc0ead authored by Martin Hansson's avatar Martin Hansson

Bug#35600: Security breach via view, I_S table and prepared

statement/stored procedure

View privileges are properly checked after the fix for bug no 
36086, so the method TABLE_LIST::get_db_name() must be used 
instead of field TABLE_LIST::db, as this only works for tables.
Bug appears when accessing views in prepared statements.
parent a43242ea
...@@ -978,7 +978,9 @@ CREATE DATABASE mysqltest1; ...@@ -978,7 +978,9 @@ CREATE DATABASE mysqltest1;
USE mysqltest1; USE mysqltest1;
CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1; CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1;
CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A; CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A;
CREATE VIEW test.v3 AS SELECT 1 AS a;
GRANT SELECT ON mysqltest1.* to mysqluser1@localhost; GRANT SELECT ON mysqltest1.* to mysqluser1@localhost;
GRANT ALL ON test.* TO mysqluser1@localhost;
PREPARE stmt_v1 FROM "SELECT * FROM mysqltest1.v1"; PREPARE stmt_v1 FROM "SELECT * FROM mysqltest1.v1";
PREPARE stmt_v2 FROM "SELECT * FROM mysqltest1.v2"; PREPARE stmt_v2 FROM "SELECT * FROM mysqltest1.v2";
REVOKE SELECT ON mysqltest1.* FROM mysqluser1@localhost; REVOKE SELECT ON mysqltest1.* FROM mysqluser1@localhost;
...@@ -986,6 +988,11 @@ EXECUTE stmt_v1; ...@@ -986,6 +988,11 @@ EXECUTE stmt_v1;
ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 'v1' ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 'v1'
EXECUTE stmt_v2; EXECUTE stmt_v2;
ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 'v2' ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 'v2'
PREPARE stmt FROM "SELECT a FROM v3";
EXECUTE stmt;
a
1
DROP VIEW v1, v2; DROP VIEW v1, v2;
DROP DATABASE mysqltest1; DROP DATABASE mysqltest1;
DROP VIEW test.v3;
DROP USER mysqluser1@localhost; DROP USER mysqluser1@localhost;
...@@ -1265,8 +1265,11 @@ USE mysqltest1; ...@@ -1265,8 +1265,11 @@ USE mysqltest1;
CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1; CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1;
CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A; CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A;
CREATE VIEW test.v3 AS SELECT 1 AS a;
--connection default --connection default
GRANT SELECT ON mysqltest1.* to mysqluser1@localhost; GRANT SELECT ON mysqltest1.* to mysqluser1@localhost;
GRANT ALL ON test.* TO mysqluser1@localhost;
--connect (connection1, localhost, mysqluser1, , test) --connect (connection1, localhost, mysqluser1, , test)
PREPARE stmt_v1 FROM "SELECT * FROM mysqltest1.v1"; PREPARE stmt_v1 FROM "SELECT * FROM mysqltest1.v1";
...@@ -1281,9 +1284,15 @@ REVOKE SELECT ON mysqltest1.* FROM mysqluser1@localhost; ...@@ -1281,9 +1284,15 @@ REVOKE SELECT ON mysqltest1.* FROM mysqluser1@localhost;
EXECUTE stmt_v1; EXECUTE stmt_v1;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
EXECUTE stmt_v2; EXECUTE stmt_v2;
--disconnect connection1 --disconnect connection1
--connect (connection2, localhost, mysqluser1,,)
PREPARE stmt FROM "SELECT a FROM v3";
EXECUTE stmt;
--disconnect connection2
--connection default --connection default
DROP VIEW v1, v2; DROP VIEW v1, v2;
DROP DATABASE mysqltest1; DROP DATABASE mysqltest1;
DROP VIEW test.v3;
DROP USER mysqluser1@localhost; DROP USER mysqluser1@localhost;
...@@ -5196,12 +5196,14 @@ check_table_access(THD *thd, ulong want_access,TABLE_LIST *tables, ...@@ -5196,12 +5196,14 @@ check_table_access(THD *thd, ulong want_access,TABLE_LIST *tables,
tables->grant.privilege= want_access; tables->grant.privilege= want_access;
else if (tables->db && thd->db && strcmp(tables->db, thd->db) == 0) else if (tables->db && thd->db && strcmp(tables->db, thd->db) == 0)
{ {
if (check_access(thd,want_access,tables->db,&tables->grant.privilege, if (check_access(thd, want_access, tables->get_db_name(),
0, no_errors, test(tables->schema_table))) &tables->grant.privilege, 0, no_errors,
test(tables->schema_table)))
goto deny; // Access denied goto deny; // Access denied
} }
else if (check_access(thd,want_access,tables->db,&tables->grant.privilege, else if (check_access(thd, want_access, tables->get_db_name(),
0, no_errors, test(tables->schema_table))) &tables->grant.privilege, 0, no_errors,
test(tables->schema_table)))
goto deny; goto deny;
} }
thd->security_ctx= backup_ctx; thd->security_ctx= backup_ctx;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment