Cherry-pick fix for Bug#53371, security hole with bypassing grants using special path in db/table names.

Bump MariaDB version for security fix release.
author: unknown <knielsen@knielsen-hq.org> 2010-05-09 21:30:06 +0200
committer: unknown <knielsen@knielsen-hq.org> 2010-05-09 21:30:06 +0200
commit: fcfb218f71b7d371a10df020994fc0a618639327 (patch)
tree: 60e5c9d773785de08bedcd54721cbdf6c894f66a /mysql-test/t/grant.test
parent: 07bfc5a2d6ebaa1a0da406177e443948ef93f5c7 (diff)
download: mariadb-git-fcfb218f71b7d371a10df020994fc0a618639327.tar.gz
1 files changed, 25 insertions, 0 deletions
diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test
index e89650c7aec..5bdb3ebe9bf 100644
--- a/mysql-test/t/grant.test
+++ b/mysql-test/t/grant.test
@@ -1525,5 +1525,30 @@ DROP USER 'user1'@'localhost';
 DROP USER 'user2';
 DROP DATABASE db1;
 
+
+#
+# Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
+#
+
+CREATE DATABASE db1;
+CREATE DATABASE db2;
+GRANT SELECT ON db1.* to 'testbug'@localhost;
+USE db2;
+CREATE TABLE t1 (a INT);
+USE test;
+connect (con1,localhost,testbug,,db1);
+--error ER_NO_SUCH_TABLE
+SELECT * FROM `../db2/tb2`;
+--error ER_TABLEACCESS_DENIED_ERROR
+SELECT * FROM `../db2`.tb2;
+--error ER_NO_SUCH_TABLE
+SELECT * FROM `#mysql50#/../db2/tb2`;
+connection default;
+disconnect con1;
+DROP USER 'testbug'@localhost;
+DROP TABLE db2.t1;
+DROP DATABASE db1;
+DROP DATABASE db2;
+
 # Wait till we reached the initial number of concurrent sessions
 --source include/wait_until_count_sessions.inc
author	unknown <knielsen@knielsen-hq.org>	2010-05-09 21:30:06 +0200
committer	unknown <knielsen@knielsen-hq.org>	2010-05-09 21:30:06 +0200
commit	fcfb218f71b7d371a10df020994fc0a618639327 (patch)
tree	60e5c9d773785de08bedcd54721cbdf6c894f66a /mysql-test/t/grant.test
parent	07bfc5a2d6ebaa1a0da406177e443948ef93f5c7 (diff)
download	mariadb-git-fcfb218f71b7d371a10df020994fc0a618639327.tar.gz