Bug#11882603 SELECT_ACL ON ANY COLUMN IN MYSQL.PROC ALLOWS TO SEE

             DEFINITION OF ANY ROUTINE.

The problem was that having the SELECT privilege any column of the
mysql.proc table by mistake allowed the user to see the definition
of all routines (using SHOW CREATE PROCEDURE/FUNCTION and SHOW
PROCEDURE/FUNCTION CODE).

This patch fixes the problem by making sure that those commands
are only allowed if the user has the SELECT privilege on the
mysql.proc table itself.

Test case added to sp-security.test.

1 files changed, 40 insertions, 0 deletions

diff --git a/mysql-test/t/sp-security.test b/mysql-test/t/sp-security.test
index 3d41d90404d..dcbae756be9 100644
--- a/mysql-test/t/sp-security.test
+++ b/mysql-test/t/sp-security.test
@@ -950,6 +950,46 @@ DROP DATABASE B48872;
 
 --echo End of 5.0 tests.
 
+--echo #
+--echo # Bug#11882603 SELECT_ACL ON ANY COLUMN IN MYSQL.PROC ALLOWS TO SEE
+--echo #              DEFINITION OF ANY ROUTINE. 
+--echo #
+
+--disable_warnings
+DROP DATABASE IF EXISTS db1;
+--enable_warnings
+
+CREATE DATABASE db1;
+CREATE PROCEDURE db1.p1() SELECT 1;
+CREATE USER user2@localhost IDENTIFIED BY '';
+GRANT SELECT(db) ON mysql.proc TO user2@localhost;
+ 
+--echo # Connection con2 as user2
+connect (con2, localhost, user2);
+--echo # The below statements before disclosed info from body_utf8 column.
+--error ER_SP_DOES_NOT_EXIST
+SHOW CREATE PROCEDURE db1.p1;
+--error ER_SP_DOES_NOT_EXIST
+SHOW PROCEDURE CODE db1.p1;
+
+--echo # Check that SHOW works with SELECT grant on whole table
+--echo # Connection default
+connection default;
+GRANT SELECT ON mysql.proc TO user2@localhost;
+
+--echo # Connection con2
+connection con2;
+--echo # This should work
+SHOW CREATE PROCEDURE db1.p1;
+SHOW PROCEDURE CODE db1.p1;
+
+--echo # Connection default
+connection default;
+disconnect con2;
+DROP USER user2@localhost;
+DROP DATABASE db1;
+
+
 # Wait till all disconnects are completed
 --source include/wait_until_count_sessions.inc