diff options
| author | Dmitry Shulga <dmitry.shulga@mariadb.com> | 2021-04-13 09:38:32 +0700 |
|---|---|---|
| committer | Dmitry Shulga <dmitry.shulga@mariadb.com> | 2021-04-13 09:38:32 +0700 |
| commit | 61f84bba603aa85957b48d151f9ddf5ba4e71ab1 (patch) | |
| tree | 2be7a6d393c6dff0b96c91d0433180ffd57674ce /mysql-test/main/ps.test | |
| parent | e14b682636bc78a20cb7bedf2af696a3f1eb79bc (diff) | |
| download | mariadb-git-61f84bba603aa85957b48d151f9ddf5ba4e71ab1.tar.gz | |
MDEV-25197: The statement set password=password('') executed in PS mode fails in case it is run by a user with expired passwordbb-10.4-MDEV-25197-3
A user connected to a server with an expired password
can't change password with the statement "SET password=..."
if this statement is run in PS mode. In mentioned use case a user
gets the error ER_MUST_CHANGE_PASSWORD on attempt to run
the statement PREPARE stmt FOR "SET password=...";
The reason of failure to reset password by a locked user using the
statement PREPARE stmt FOR "SET password=..." is that PS-related
statements are not listed among the commands allowed for execution
by a user with expired password. However, simple adding of PS-related
statements (PREPARE FOR/EXECUTE/DEALLOCATE PREPARE ) to the list of
statements allowed for execution by a locked user is not enough
to solve problems, since it opens the opportunity for a locked user
to execute any statement in the PS mode.
To exclude this opportunity, additional checking that the statement
being prepared for execution in PS-mode is the SET statement has to be added.
This extra checking has been added by this patch into the method
Prepared_statement::prepared() that executed on preparing any statement
for execution in PS-mode.
Diffstat (limited to 'mysql-test/main/ps.test')
| -rw-r--r-- | mysql-test/main/ps.test | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/mysql-test/main/ps.test b/mysql-test/main/ps.test index 2ce78b78e90..62a7efffbfd 100644 --- a/mysql-test/main/ps.test +++ b/mysql-test/main/ps.test @@ -4980,5 +4980,42 @@ DROP VIEW v1; DROP TABLE t1; --echo # +--echo # MDEV-25197: The statement set password=password('') executed in PS mode +--echo # fails in case it is run by a user with expired password +--echo # +CREATE USER user1@localhost PASSWORD EXPIRE; + +SET @disconnect_on_expired_password_save=@@global.disconnect_on_expired_password; +SET GLOBAL disconnect_on_expired_password=OFF; + +connect(con1,localhost,user1); +connection con1; +--echo # Check that no regular statement like SELECT can be prepared +--echo # by a user with an expired password +--error ER_MUST_CHANGE_PASSWORD +PREPARE stmt FROM "SELECT 1"; + +--echo # Check that the DEALLOCATE PREPARE statement can be run by a user +--echo # with an expired password +PREPARE stmt FROM "SET password=password('')"; +DEALLOCATE PREPARE stmt; + +--echo # Check that the SET PASSWORD statement can be executed in PS mode by +--echo # a user with an expired password +PREPARE stmt FROM "SET password=password('')"; +EXECUTE stmt; +PREPARE stmt FROM "SELECT 1"; +--echo # Check that user's password is not expired anymore +EXECUTE stmt; +DEALLOCATE PREPARE stmt; + +--echo # Clean up +disconnect con1; +connection default; + +SET GLOBAL disconnect_on_expired_password=@disconnect_on_expired_password_save; +DROP USER user1@localhost; + +--echo # --echo # End of 10.4 tests --echo # |