diff options
author | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-03-08 15:59:50 +0200 |
---|---|---|
committer | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-03-08 15:59:50 +0200 |
commit | 17417d53bde5e2e3f1132432a37aa2873568e21d (patch) | |
tree | c0b538561028641e437eca77c4f0fbe03139869f | |
parent | 9a74c307c35cbbeb706eb9a4f7a3746f14fdbb75 (diff) | |
download | mariadb-git-17417d53bde5e2e3f1132432a37aa2873568e21d.tar.gz |
MDEV-14443: check_grant mask grant_table entries with the deny mask
Previous code assumed that if any combination of rights is acceptable,
that means that the presence of the grant_table entries themselves
signifies that access is granted. However this is not true if the
deny_mask masks all bits present in the grant_tables. This is now
corrected.
TODO: column level denies however are not evaluated.
-rw-r--r-- | sql/sql_acl.cc | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 1dd17b6f28a..1fb57f97b38 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -9376,7 +9376,14 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables, t_ref->get_table_name(), TRUE); - if (!grant_table && !grant_table_role) + const bool no_grant_table_rights= + !grant_table || + !((grant_table->privs | grant_table->cols) & ~deny_mask); + const bool no_grant_table_role_rights= + !grant_table_role || + !((grant_table_role->privs | grant_table_role->cols) & ~deny_mask); + + if (no_grant_table_rights && no_grant_table_role_rights) { want_access&= ~(t_ref->grant.privilege & ~deny_mask); goto err; // No grants |