diff options
| author | evgen@moonbone.local <> | 2007-05-11 23:19:11 +0400 |
|---|---|---|
| committer | evgen@moonbone.local <> | 2007-05-11 23:19:11 +0400 |
| commit | 34f478121f4e0b374c8cb1885bf08ca48ec669c6 (patch) | |
| tree | c1a6ef79fc28e911c7f4656d693d37ef057e1d61 | |
| parent | efb13e1bfe9b7e438325e85cae51d1bf9de476ad (diff) | |
| download | mariadb-git-34f478121f4e0b374c8cb1885bf08ca48ec669c6.tar.gz | |
Bug#27878: Unchecked privileges on a view referring to a table from another
database.
If a user has a right to update anything in the current database then the
access was granted and further checks of access rights for underlying tables
wasn't done correctly. The check is done before a view is opened and thus no
check of access rights for underlying tables can be carried out.
This allows a user to update through a view a table from another database for
which he hasn't enough rights.
Now the mysql_update() and the mysql_test_update() functions are forces
re-checking of access rights after a view is opened.
| -rw-r--r-- | mysql-test/r/grant.result | 19 | ||||
| -rw-r--r-- | mysql-test/t/grant.test | 25 | ||||
| -rw-r--r-- | sql/sql_prepare.cc | 5 | ||||
| -rw-r--r-- | sql/sql_update.cc | 5 |
4 files changed, 50 insertions, 4 deletions
diff --git a/mysql-test/r/grant.result b/mysql-test/r/grant.result index 6d014fbb71b..ca34b56b9cc 100644 --- a/mysql-test/r/grant.result +++ b/mysql-test/r/grant.result @@ -1105,4 +1105,23 @@ ERROR 42000: SELECT command denied to user 'mysqltest_2'@'localhost' for table ' DROP DATABASE mysqltest1; DROP DATABASE mysqltest2; DROP USER mysqltest_1@localhost; +use test; +CREATE TABLE t1 (f1 int, f2 int); +INSERT INTO t1 VALUES(1,1), (2,2); +CREATE DATABASE db27878; +GRANT UPDATE(f1) ON t1 TO 'mysqltest_1'@'localhost'; +GRANT SELECT ON `test`.* TO 'mysqltest_1'@'localhost'; +GRANT ALL ON db27878.* TO 'mysqltest_1'@'localhost'; +use db27878; +CREATE SQL SECURITY INVOKER VIEW db27878.v1 AS SELECT * FROM test.t1; +use db27878; +UPDATE v1 SET f2 = 4; +ERROR HY000: View 'db27878.v1' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them +SELECT * FROM test.t1; +f1 f2 +1 1 +2 2 +DROP VIEW v1; +use test; +DROP TABLE t1; End of 5.0 tests diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test index 197f20db76e..c1eae9b3c36 100644 --- a/mysql-test/t/grant.test +++ b/mysql-test/t/grant.test @@ -413,6 +413,7 @@ connect (user1,localhost,mysqltest_1,,mysqltest,$MASTER_MYPORT,$MASTER_MYSOCK); connection user1; -- error 1142 alter table t1 rename t2; +disconnect user1; connection root; revoke all privileges on mysqltest.t1 from mysqltest_1@localhost; delete from mysql.user where user=_binary'mysqltest_1'; @@ -1122,5 +1123,29 @@ DROP DATABASE mysqltest2; DROP USER mysqltest_1@localhost; +# +# Bug#27878: Unchecked privileges on a view referring to a table from another +# database. +# +use test; +CREATE TABLE t1 (f1 int, f2 int); +INSERT INTO t1 VALUES(1,1), (2,2); +CREATE DATABASE db27878; +GRANT UPDATE(f1) ON t1 TO 'mysqltest_1'@'localhost'; +GRANT SELECT ON `test`.* TO 'mysqltest_1'@'localhost'; +GRANT ALL ON db27878.* TO 'mysqltest_1'@'localhost'; +use db27878; +CREATE SQL SECURITY INVOKER VIEW db27878.v1 AS SELECT * FROM test.t1; +connect (user1,localhost,mysqltest_1,,test); +connection user1; +use db27878; +--error 1356 +UPDATE v1 SET f2 = 4; +SELECT * FROM test.t1; +disconnect user1; +connection default; +DROP VIEW v1; +use test; +DROP TABLE t1; --echo End of 5.0 tests diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc index 1ec65743b0f..90361f8ff0d 100644 --- a/sql/sql_prepare.cc +++ b/sql/sql_prepare.cc @@ -1164,8 +1164,9 @@ static int mysql_test_update(Prepared_statement *stmt, goto error; #ifndef NO_EMBEDDED_ACCESS_CHECKS - /* TABLE_LIST contain right privilages request */ - want_privilege= table_list->grant.want_privilege; + /* Force privilege re-checking for views after they have been opened. */ + want_privilege= (table_list->view ? UPDATE_ACL : + table_list->grant.want_privilege); #endif if (mysql_prepare_update(thd, table_list, &select->where, diff --git a/sql/sql_update.cc b/sql/sql_update.cc index e17c71ae541..222e33345cc 100644 --- a/sql/sql_update.cc +++ b/sql/sql_update.cc @@ -173,8 +173,9 @@ int mysql_update(THD *thd, table->quick_keys.clear_all(); #ifndef NO_EMBEDDED_ACCESS_CHECKS - /* TABLE_LIST contain right privilages request */ - want_privilege= table_list->grant.want_privilege; + /* Force privilege re-checking for views after they have been opened. */ + want_privilege= (table_list->view ? UPDATE_ACL : + table_list->grant.want_privilege); #endif if (mysql_prepare_update(thd, table_list, &conds, order_num, order)) DBUG_RETURN(1); |