diff options
| author | Sergei Golubchik <sergii@pisem.net> | 2014-03-20 23:26:41 +0100 |
|---|---|---|
| committer | Sergei Golubchik <sergii@pisem.net> | 2014-03-20 23:26:41 +0100 |
| commit | 7b1b744f53aca6ca77f06cb1980c40da666387d1 (patch) | |
| tree | 1d42894ed10d0e66db74614304f04293ab33dcde /mysql-test/r/sp-security.result | |
| parent | 9ff0c9f730a79d4dab4303163d45c919f612cc37 (diff) | |
| download | mariadb-git-7b1b744f53aca6ca77f06cb1980c40da666387d1.tar.gz | |
MDEV-5849 MySQL bug#12602983 - User without privilege on routine can discover its existence by executing "select non_existing_func();" or by "call non_existing_proc()"
add or move privilege checks before existence checks
Diffstat (limited to 'mysql-test/r/sp-security.result')
| -rw-r--r-- | mysql-test/r/sp-security.result | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/mysql-test/r/sp-security.result b/mysql-test/r/sp-security.result index 88908b05f46..e8c3fbff0e3 100644 --- a/mysql-test/r/sp-security.result +++ b/mysql-test/r/sp-security.result @@ -617,3 +617,33 @@ SELECT 1 latin1 latin1_swedish_ci latin1_swedish_ci # Connection default DROP USER user2@localhost; DROP DATABASE db1; +# +# Test for bug#12602983 - User without privilege on routine can discover +# its existence by executing "select non_existing_func();" or by +# "call non_existing_proc()"; +# +drop database if exists mysqltest_db; +create database mysqltest_db; +create function mysqltest_db.f1() returns int return 0; +create procedure mysqltest_db.p1() begin end; +# Create user with no privileges on mysqltest_db database. +create user bug12602983_user@localhost; +# Connect as user 'bug12602983_user@localhost' +# Attempt to execute routine on which user doesn't have privileges +# should result in the same 'access denied' error whether +# routine exists or not. +select mysqltest_db.f_does_not_exist(); +ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for routine 'mysqltest_db.f_does_not_exist' +call mysqltest_db.p_does_not_exist(); +ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for routine 'mysqltest_db.p_does_not_exist' +select mysqltest_db.f1(); +ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for routine 'mysqltest_db.f1' +call mysqltest_db.p1(); +ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for routine 'mysqltest_db.p1' +create view bug12602983_v1 as select mysqltest_db.f_does_not_exist(); +ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for routine 'mysqltest_db.f_does_not_exist' +create view bug12602983_v1 as select mysqltest_db.f1(); +ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for routine 'mysqltest_db.f1' +# Connection 'default'. +drop user bug12602983_user@localhost; +drop database mysqltest_db; |