1. 14 Oct, 2011 1 commit
  2. 12 Oct, 2011 1 commit
  3. 06 Oct, 2011 1 commit
  4. 29 Sep, 2011 1 commit
    • Tatjana Azundris Nuernberg's avatar
      Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows /... · 546084eb
      Tatjana Azundris Nuernberg authored
      Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows / underlying table's name
      
      1 - If a user had SHOW VIEW and SELECT privileges on a view and
      this view was referencing another view, EXPLAIN SELECT on the outer
      view (that the user had privileges on) could reveal the structure
      of the underlying "inner" view as well as the number of rows in
      the underlying tables, even if the user had privileges on none of
      these referenced objects.
      
      This happened because we used DEFINER's UID ("SUID") not just for
      the view given in EXPLAIN, but also when checking privileges on
      the underlying views (where we should use the UID of the EXPLAIN's
      INVOKER instead).
      
      We no longer run the EXPLAIN SUID (with DEFINER's privileges).
      This prevents a possible exploit and makes permissions more
      orthogonal.
      
      2 - EXPLAIN SELECT would reveal a view's structure even if the user
      did not have SHOW VIEW privileges for that view, as long as they
      had SELECT privilege on the underlying tables.
      
      Instead of requiring both SHOW VIEW privilege on a view and SELECT
      privilege on all underlying tables, we were checking for presence
      of either of them.
      
      We now explicitly require SHOW VIEW and SELECT privileges on
      the view we run EXPLAIN SELECT on, as well as all its
      underlying views. We also require SELECT on all relevant
      tables. 
      546084eb
  5. 17 Aug, 2011 1 commit
  6. 22 Jul, 2011 1 commit
    • Alexander Nozdrin's avatar
      For for Bug#12696072: FIX OUTDATED COPYRIGHT NOTICES IN RUNTIME RELATED CLIENT · f7618904
      Alexander Nozdrin authored
      TOOLS
      
      Backport a fix for Bug 57094 from 5.5.
      The following revision was backported:
      
      # revision-id: alexander.nozdrin@oracle.com-20101006150613-ls60rb2tq5dpyb5c
      # parent: bar@mysql.com-20101006121559-am1e05ykeicwnx48
      # committer: Alexander Nozdrin <alexander.nozdrin@oracle.com>
      # branch nick: mysql-5.5-bugteam-bug57094
      # timestamp: Wed 2010-10-06 19:06:13 +0400
      # message:
      #   Fix for Bug 57094 (Copyright notice incorrect?).
      #   
      #   The fix is to:
      #     - introduce ORACLE_WELCOME_COPYRIGHT_NOTICE define to have a single place
      #       to specify copyright notice;
      #     - replace custom copyright notices with ORACLE_WELCOME_COPYRIGHT_NOTICE
      #       in programs.
      f7618904
  7. 18 Jul, 2011 1 commit
  8. 15 Jul, 2011 1 commit
  9. 12 Jul, 2011 1 commit
    • Luis Soares's avatar
      BUG#12695969 · eae6fde7
      Luis Soares authored
      Follow-up patch that adds the newly added header file to
      Makefile.am noinst_HEADERS.
      eae6fde7
  10. 11 Jul, 2011 1 commit
    • Luis Soares's avatar
      BUG#12695969: FIX OUTDATED COPYRIGHT NOTICES IN REPLACTION · cc17ce72
      Luis Soares authored
      CLIENT TOOLS
            
      The fix is to backport part of revision:
              
        - alexander.nozdrin@oracle.com-20101006150613-ls60rb2tq5dpyb5c
            
      from mysql-5.5. In detail, we add the oracle welcome notice
      header file proposed in the original patch and include/use it
      in client/mysqlbinlog.cc, replacing the existing and obsolete
      notice.
      cc17ce72
  11. 07 Jul, 2011 1 commit
  12. 06 Jul, 2011 1 commit
  13. 30 Jun, 2011 2 commits
  14. 29 Jun, 2011 1 commit
  15. 16 Jun, 2011 1 commit
  16. 10 Jun, 2011 2 commits
  17. 10 May, 2011 1 commit
  18. 06 May, 2011 1 commit
  19. 05 May, 2011 1 commit
  20. 04 May, 2011 3 commits
  21. 28 Apr, 2011 1 commit
    • Georgi Kodinov's avatar
      Bug #11764517: 57359: POSSIBLE TO CIRCUMVENT SECURE_FILE_PRIV · 4c5dfc00
      Georgi Kodinov authored
        USING '..' ON WINDOWS
      
      Backport of the fix to 5.0 (to be null-merged to 5.1).
      Moved the test into the main test suite. 
      Made mysql-test-run.pl to not use symlinks for sdtdata as the symlinks
      are now properly recognized by secure_file_priv.
      Made sure the paths in load_file(), LOAD DATA and SELECT .. INTO OUTFILE 
      that are checked against secure_file_priv in a correct way similarly to 5.1 
      by the extended is_secure_file_path() backport before the comparison.
      Added an extensive test with all the variants of upper/lower case, 
      slash/backslash and case sensitivity.
      Added few comments to the code.
      4c5dfc00
  22. 18 Apr, 2011 1 commit
  23. 13 Apr, 2011 1 commit
  24. 11 Apr, 2011 6 commits
  25. 07 Apr, 2011 1 commit
  26. 22 Mar, 2011 2 commits
    • Magne Mahre's avatar
      Post-push fix for Bug 11896296 · 40af5949
      Magne Mahre authored
      Didn't build on Solaris.
      40af5949
    • Magne Mahre's avatar
      Bug#11896296 REMOVE LGPL LICENSED FILES IN MYSQL 5.0 · 7606856e
      Magne Mahre authored
      The LGPL license is used in some legacy code, and to
      adhere to current licensing polity, we remove those
      files that are no longer used, and reorganize the
      remaining LGPL code so it will be GPL licensed from
      now on.
      
      Note:  This patch only removed LGPL licensed files
             in MySQL 5.0, and is the first of a set of
             patches to remove LGPL from all trees.
             (See Bug# 11840513 for details)
      7606856e
  27. 21 Mar, 2011 3 commits
  28. 16 Mar, 2011 1 commit