Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES

check_access() returning false for a database does not guarantee that the access is granted to it. This wrong condition in filling the INFORMATION_SCHEMA tables causes extra tables to be returned to the user even if he has no rights to see them. Fixed by correcting the condition.

Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
check_access() returning false for a database does not guarantee that the access is granted to it. This wrong condition in filling the INFORMATION_SCHEMA tables causes extra tables to be returned to the user even if he has no rights to see them. Fixed by correcting the condition.
679de2bb · Georgi Kodinov · e4b71385 · 679de2bb · 679de2bb · 679de2bb
Commit 679de2bb authored Jan 21, 2010 by Georgi Kodinov
Showing with 53 additions and 4 deletions

mysql-test/r/information_schema.result mysql-test/r/information_schema.result +22 -0

mysql-test/t/information_schema.test mysql-test/t/information_schema.test +27 -0

sql/sql_show.cc sql/sql_show.cc +4 -4

No files found.
--- a/mysql-test/r/information_schema.result
+++ b/mysql-test/r/information_schema.result
@@ -1725,4 +1725,26 @@ SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0;
 TEST_RESULT
 OK
 SET TIMESTAMP=DEFAULT;
+#
+# Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
+#
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1 (id INT);
+CREATE USER nonpriv;
+USE test;
+# connected as nonpriv
+# Should return 0
+SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1';
+COUNT(*)
+0
+USE INFORMATION_SCHEMA;
+# Should return 0
+SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1';
+COUNT(*)
+0
+# connected as root
+DROP USER nonpriv;
+DROP TABLE db1.t1;
+DROP DATABASE db1;
 End of 5.1 tests.
--- a/mysql-test/t/information_schema.test
+++ b/mysql-test/t/information_schema.test
@@ -1419,6 +1419,33 @@ SET TIMESTAMP=@@TIMESTAMP + 10000000;
 SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0;
 SET TIMESTAMP=DEFAULT;
+--echo #
+--echo # Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
+--echo #
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1 (id INT);
+CREATE USER nonpriv;
+USE test;
+connect (nonpriv_con, localhost, nonpriv,,);
+connection nonpriv_con;
+--echo # connected as nonpriv
+--echo # Should return 0
+SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1';
+USE INFORMATION_SCHEMA;
+--echo # Should return 0
+SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1';
+connection default;
+--echo # connected as root
+disconnect nonpriv_con;
+DROP USER nonpriv;
+DROP TABLE db1.t1;
+DROP DATABASE db1;
 --echo End of 5.1 tests.
 # Wait till all disconnects are completed

--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -3367,11 +3367,11 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond)
  while ((db_name= it++))
  {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-    if (!check_access(thd,SELECT_ACL, db_name->str, 
+    if (!(check_access(thd,SELECT_ACL, db_name->str, 
-                      &thd->col_access, 0, 1, with_i_schema) ||
+                       &thd->col_access, 0, 1, with_i_schema) ||
+          (!thd->col_access && check_grant_db(thd, db_name->str))) ||
        sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
-	acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) ||
+        acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0))
-	!check_grant_db(thd, db_name->str))
 #endif
    {
      thd->no_warnings_for_error= 1;