Fix for bug #6173 "One can circumvent missing UPDATE privilege if

he has SELECT and INSERT privileges for table with primary key" Now we set lex->duplicates= DUP_UPDATE right in parser if INSERT has ON DUPLICATE KEY UPDATE clause, this simplifies insert_precheck() function (this also fixes a bug) and some other code. mysql-test/r/grant2.result: Added test for bug #6173 "One can circumvent missing UPDATE privilege if he has SELECT and INSERT privileges for table with primary key" mysql-test/t/grant2.test: Added test for bug #6173 "One can circumvent missing UPDATE privilege if he has SELECT and INSERT privileges for table with primary key" sql/mysql_priv.h: insert_precheck() don't need "update" parameter any longer since now we set lex->duplicates to DUP_UPDATE if INSERT has ON DUPLICATE KEY UPDATE clause. sql/sql_parse.cc: insert_precheck() don't need "update" parameter any longer since now we set lex->duplicates to DUP_UPDATE if INSERT has ON DUPLICATE KEY UPDATE clause, so it can determine whenever it is needed to require UPDATE_ACL by itself. Also calling of mysql_insert() is simplified. sql/sql_prepare.cc: insert_precheck() don't need "update" parameter any longer since now we set lex->duplicates to DUP_UPDATE if INSERT has ON DUPLICATE KEY UPDATE clause, so it can determine whenever it is needed to require UPDATE_ACL by itself. Also calling of mysql_insert() is simplified. sql/sql_yacc.yy: It is better to set Lex->duplicates= DUP_UPDATE right in parser if we have INSERT with ON DUPLICATE KEY UPDATE clause, rather doing this later.
author: unknown <dlenev@brandersnatch.localdomain> 2004-10-20 16:04:43 +0400
committer: unknown <dlenev@brandersnatch.localdomain> 2004-10-20 16:04:43 +0400
commit: b88150c96edf457099922a7e0a11831160bc5a67 (patch)
tree: cc5a947dac611d8db606dd3485b05f87a26b8bcd
parent: f125849dd1fa2b7eaca3aea5f84d7d79fb201ec2 (diff)
download: mariadb-git-b88150c96edf457099922a7e0a11831160bc5a67.tar.gz
6 files changed, 85 insertions, 18 deletions
diff --git a/mysql-test/r/grant2.result b/mysql-test/r/grant2.result
index 31e506d2679..a31fa2ac3dc 100644
--- a/mysql-test/r/grant2.result
+++ b/mysql-test/r/grant2.result
@@ -1,6 +1,9 @@
 SET NAMES binary;
+drop database if exists mysqltest;
 delete from mysql.user where user like 'mysqltest\_%';
 delete from mysql.db where user like 'mysqltest\_%';
+delete from mysql.tables_priv where user like 'mysqltest\_%';
+delete from mysql.columns_priv where user like 'mysqltest\_%';
 flush privileges;
 grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
 select current_user();
@@ -25,3 +28,27 @@ ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'loca
 delete from mysql.user where user like 'mysqltest\_%';
 delete from mysql.db where user like 'mysqltest\_%';
 flush privileges;
+create database mysqltest;
+grant INSERT, SELECT on mysqltest.* to mysqltest_1@localhost;
+flush privileges;
+use mysqltest;
+create table t1 (id int primary key, data varchar(255));
+show grants for current_user();
+Grants for mysqltest_1@localhost
+GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
+GRANT SELECT, INSERT ON `mysqltest`.* TO 'mysqltest_1'@'localhost'
+use mysqltest;
+insert into t1 values (1, 'I can''t change it!');
+update t1 set data='I can change it!' where id = 1;
+ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest'
+insert into t1 values (1, 'XXX') on duplicate key update data= 'I can change it!';
+ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest'
+select * from t1;
+id	data
+1	I can't change it!
+drop table t1;
+drop database mysqltest;
+use test;
+delete from mysql.user where user like 'mysqltest\_%';
+delete from mysql.db where user like 'mysqltest\_%';
+flush privileges;
diff --git a/mysql-test/t/grant2.test b/mysql-test/t/grant2.test
index 3a9afa7453b..f86be0c95b9 100644
--- a/mysql-test/t/grant2.test
+++ b/mysql-test/t/grant2.test
@@ -6,13 +6,21 @@ SET NAMES binary;
 #
 
 
+# prepare playground before tests
+--disable_warnings
+drop database if exists mysqltest;
+--enable_warnings
+delete from mysql.user where user like 'mysqltest\_%';
+delete from mysql.db where user like 'mysqltest\_%';
+delete from mysql.tables_priv where user like 'mysqltest\_%';
+delete from mysql.columns_priv where user like 'mysqltest\_%';
+flush privileges;
+
+
 #
 # wild_compare fun
 #
 
-delete from mysql.user where user like 'mysqltest\_%';
-delete from mysql.db where user like 'mysqltest\_%';
-flush privileges;
 grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
 connect (user1,localhost,mysqltest_1,,);
 connection user1;
@@ -31,3 +39,33 @@ delete from mysql.user where user like 'mysqltest\_%';
 delete from mysql.db where user like 'mysqltest\_%';
 flush privileges;
 
+
+#
+# Bug #6173: One can circumvent missing UPDATE privilege if he has SELECT
+# and INSERT privilege for table with primary key
+#
+create database mysqltest;
+grant INSERT, SELECT on mysqltest.* to mysqltest_1@localhost;
+flush privileges;
+use mysqltest;
+create table t1 (id int primary key, data varchar(255));
+
+connect (mrbad, localhost, mysqltest_1,,);
+connection mrbad;
+show grants for current_user();
+use mysqltest;
+insert into t1 values (1, 'I can''t change it!');
+--error 1044
+update t1 set data='I can change it!' where id = 1;
+# This should not be allowed since it too require UPDATE privilege.
+--error 1044
+insert into t1 values (1, 'XXX') on duplicate key update data= 'I can change it!';
+select * from t1;
+
+connection default;
+drop table t1;
+drop database mysqltest;
+use test;
+delete from mysql.user where user like 'mysqltest\_%';
+delete from mysql.db where user like 'mysqltest\_%';
+flush privileges;
diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h
index 1a0879c6347..242a410876a 100644
--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -374,7 +374,7 @@ int multi_delete_precheck(THD *thd, TABLE_LIST *tables, uint *table_count);
 int insert_select_precheck(THD *thd, TABLE_LIST *tables);
 int update_precheck(THD *thd, TABLE_LIST *tables);
 int delete_precheck(THD *thd, TABLE_LIST *tables);
-int insert_precheck(THD *thd, TABLE_LIST *tables, bool update);
+int insert_precheck(THD *thd, TABLE_LIST *tables);
 int create_table_precheck(THD *thd, TABLE_LIST *tables,
 			  TABLE_LIST *create_table);
 Item *negate_expression(THD *thd, Item *expr);
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index e7a013e19ea..4d596feaa55 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -2682,12 +2682,11 @@ unsent_create_error:
   case SQLCOM_REPLACE:
   case SQLCOM_INSERT:
   {
-    my_bool update= (lex->value_list.elements ? UPDATE_ACL : 0);
-    if ((res= insert_precheck(thd, tables, update)))
+    if ((res= insert_precheck(thd, tables)))
       break;
     res = mysql_insert(thd,tables,lex->field_list,lex->many_values,
                        select_lex->item_list, lex->value_list,
-                       (update ? DUP_UPDATE : lex->duplicates));
+                       lex->duplicates);
     if (thd->net.report_error)
       res= -1;
     break;
@@ -5366,13 +5365,14 @@ int delete_precheck(THD *thd, TABLE_LIST *tables)
     -1  error (message is not sent to user)
 */
 
-int insert_precheck(THD *thd, TABLE_LIST *tables, bool update)
+int insert_precheck(THD *thd, TABLE_LIST *tables)
 {
   LEX *lex= thd->lex;
   DBUG_ENTER("insert_precheck");
 
-  ulong privilege= (lex->duplicates == DUP_REPLACE ?
-		    INSERT_ACL | DELETE_ACL : INSERT_ACL | update);
+  ulong privilege= INSERT_ACL |
+                   (lex->duplicates == DUP_REPLACE ? DELETE_ACL : 0) |
+                   (lex->duplicates == DUP_UPDATE ? UPDATE_ACL : 0);
 
   if (check_one_table_access(thd, privilege, tables))
     DBUG_RETURN(1);
diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
index 27d98fdfeba..0392b4e5cd6 100644
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -895,10 +895,9 @@ static int mysql_test_insert(Prepared_statement *stmt,
   int res= -1;
   TABLE_LIST *insert_table_list=
     (TABLE_LIST*) lex->select_lex.table_list.first;
-  my_bool update= (lex->value_list.elements ? UPDATE_ACL : 0);
   DBUG_ENTER("mysql_test_insert");
 
-  if ((res= insert_precheck(thd, table_list, update)))
+  if ((res= insert_precheck(thd, table_list)))
     DBUG_RETURN(res);
 
   /*
@@ -1388,8 +1387,7 @@ static int send_prepare_results(Prepared_statement *stmt, bool text_protocol)
     res= mysql_test_insert(stmt, tables, lex->field_list,
 			   lex->many_values,
 			   select_lex->item_list, lex->value_list,
-			   (lex->value_list.elements ?
-			    DUP_UPDATE : lex->duplicates));
+			   lex->duplicates);
     break;
 
   case SQLCOM_UPDATE:
diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
index c1513dd55e2..db41d07553c 100644
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -4136,14 +4136,18 @@ expr_or_default:
 opt_insert_update:
         /* empty */
         | ON DUPLICATE_SYM
-          { /* for simplisity, let's forget about
-               INSERT ... SELECT ... UPDATE
-               for a moment */
-	    if (Lex->sql_command != SQLCOM_INSERT)
+          { 
+            LEX *lex= Lex;
+            /*
+              For simplicity, let's forget about INSERT ... SELECT ... UPDATE
+              for a moment.
+            */
+	    if (lex->sql_command != SQLCOM_INSERT)
             {
 	      yyerror(ER(ER_SYNTAX_ERROR));
               YYABORT;
             }
+            lex->duplicates= DUP_UPDATE;
           }
           KEY_SYM UPDATE_SYM update_list
         ;
author	unknown <dlenev@brandersnatch.localdomain>	2004-10-20 16:04:43 +0400
committer	unknown <dlenev@brandersnatch.localdomain>	2004-10-20 16:04:43 +0400
commit	b88150c96edf457099922a7e0a11831160bc5a67 (patch)
tree	cc5a947dac611d8db606dd3485b05f87a26b8bcd
parent	f125849dd1fa2b7eaca3aea5f84d7d79fb201ec2 (diff)
download	mariadb-git-b88150c96edf457099922a7e0a11831160bc5a67.tar.gz