diff options
| author | Georgi Kodinov <joro@sun.com> | 2010-01-21 17:14:10 +0200 |
|---|---|---|
| committer | Georgi Kodinov <joro@sun.com> | 2010-01-21 17:14:10 +0200 |
| commit | 2c44919bdc9b6eb08d894fec4d730b88cb2b31ca (patch) | |
| tree | 7abbe88c4d928279d9f69d1a1afd4802391f1b1a | |
| parent | 4cfda7fd3b3fe10acb55eb9fbf0a5743defaab3b (diff) | |
| download | mariadb-git-2c44919bdc9b6eb08d894fec4d730b88cb2b31ca.tar.gz | |
Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
check_access() returning false for a database does not
guarantee that the access is granted to it.
This wrong condition in filling the INFORMATION_SCHEMA
tables causes extra tables to be returned to the user
even if he has no rights to see them.
Fixed by correcting the condition.
| -rw-r--r-- | mysql-test/r/information_schema.result | 22 | ||||
| -rw-r--r-- | mysql-test/t/information_schema.test | 27 | ||||
| -rw-r--r-- | sql/sql_show.cc | 8 |
3 files changed, 53 insertions, 4 deletions
diff --git a/mysql-test/r/information_schema.result b/mysql-test/r/information_schema.result index 9a75e478264..4ed7e4e700b 100644 --- a/mysql-test/r/information_schema.result +++ b/mysql-test/r/information_schema.result @@ -1725,4 +1725,26 @@ SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0; TEST_RESULT OK SET TIMESTAMP=DEFAULT; +# +# Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES +# +CREATE DATABASE db1; +USE db1; +CREATE TABLE t1 (id INT); +CREATE USER nonpriv; +USE test; +# connected as nonpriv +# Should return 0 +SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1'; +COUNT(*) +0 +USE INFORMATION_SCHEMA; +# Should return 0 +SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1'; +COUNT(*) +0 +# connected as root +DROP USER nonpriv; +DROP TABLE db1.t1; +DROP DATABASE db1; End of 5.1 tests. diff --git a/mysql-test/t/information_schema.test b/mysql-test/t/information_schema.test index 392d1062492..f3ce3d87252 100644 --- a/mysql-test/t/information_schema.test +++ b/mysql-test/t/information_schema.test @@ -1419,6 +1419,33 @@ SET TIMESTAMP=@@TIMESTAMP + 10000000; SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0; SET TIMESTAMP=DEFAULT; + +--echo # +--echo # Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES +--echo # +CREATE DATABASE db1; +USE db1; +CREATE TABLE t1 (id INT); +CREATE USER nonpriv; +USE test; + +connect (nonpriv_con, localhost, nonpriv,,); +connection nonpriv_con; +--echo # connected as nonpriv +--echo # Should return 0 +SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1'; +USE INFORMATION_SCHEMA; +--echo # Should return 0 +SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1'; + +connection default; +--echo # connected as root +disconnect nonpriv_con; +DROP USER nonpriv; +DROP TABLE db1.t1; +DROP DATABASE db1; + + --echo End of 5.1 tests. # Wait till all disconnects are completed diff --git a/sql/sql_show.cc b/sql/sql_show.cc index 5ec40d4893c..989606300d8 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -3367,11 +3367,11 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond) while ((db_name= it++)) { #ifndef NO_EMBEDDED_ACCESS_CHECKS - if (!check_access(thd,SELECT_ACL, db_name->str, - &thd->col_access, 0, 1, with_i_schema) || + if (!(check_access(thd,SELECT_ACL, db_name->str, + &thd->col_access, 0, 1, with_i_schema) || + (!thd->col_access && check_grant_db(thd, db_name->str))) || sctx->master_access & (DB_ACLS | SHOW_DB_ACL) || - acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) || - !check_grant_db(thd, db_name->str)) + acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0)) #endif { thd->no_warnings_for_error= 1; |