Bug#35600: Security breach via view, I_S table and prepared

statement/stored procedure

View privileges are properly checked after the fix for bug no 
36086, so the method TABLE_LIST::get_db_name() must be used 
instead of field TABLE_LIST::db, as this only works for tables.
Bug appears when accessing views in prepared statements.

mysql-test/r/view_grant.result:
  Bug#35600: Extended existing test case.
mysql-test/t/view_grant.test:
  Bug#35600: Extended existing test result.
sql/sql_parse.cc:
  Bug#35600: Using method to retrieve database name instead of
  field.

1 files changed, 10 insertions, 1 deletions

diff --git a/mysql-test/t/view_grant.test b/mysql-test/t/view_grant.test
index afef5c5bc7b..4e8d97e4444 100644
--- a/mysql-test/t/view_grant.test
+++ b/mysql-test/t/view_grant.test
@@ -1265,8 +1265,11 @@ USE mysqltest1;
 CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1;
 CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A;
 
+CREATE VIEW test.v3 AS SELECT 1 AS a;
+
 --connection default
 GRANT SELECT ON mysqltest1.* to mysqluser1@localhost;
+GRANT ALL ON test.* TO mysqluser1@localhost;
 
 --connect (connection1, localhost, mysqluser1, , test)
 PREPARE stmt_v1     FROM "SELECT * FROM mysqltest1.v1";
@@ -1281,9 +1284,15 @@ REVOKE SELECT ON mysqltest1.* FROM mysqluser1@localhost;
 EXECUTE stmt_v1;
 --error ER_TABLEACCESS_DENIED_ERROR
 EXECUTE stmt_v2;
-
 --disconnect connection1
+
+--connect (connection2, localhost, mysqluser1,,)
+PREPARE stmt FROM "SELECT a FROM v3";
+EXECUTE stmt;
+--disconnect connection2
+
 --connection default
 DROP VIEW v1, v2;
 DROP DATABASE mysqltest1;
+DROP VIEW test.v3;
 DROP USER mysqluser1@localhost;