diff options
author | unknown <anozdrin/alik@booka.opbmk> | 2007-03-23 14:12:11 +0300 |
---|---|---|
committer | unknown <anozdrin/alik@booka.opbmk> | 2007-03-23 14:12:11 +0300 |
commit | bd49d8debfc1821cb9d158efb9cdfc55231e54ee (patch) | |
tree | 5bf7ae3a2e46723dd549f6affcf4c82a7890d903 /mysql-test/t | |
parent | b444f808828e42b64cdd4fa8bc9e901b1ae6e119 (diff) | |
download | mariadb-git-bd49d8debfc1821cb9d158efb9cdfc55231e54ee.tar.gz |
Fix for BUG#9504: Stored procedures: execute privilege doesn't
make 'use database' okay.
The problem was that we didn't check stored-routine privileges
in check_grant_db().
The patch adds this check.
mysql-test/r/grant.result:
Update result file.
mysql-test/r/sp-security.result:
Update result fil.
mysql-test/t/grant.test:
Added test case for BUG#9504.
mysql-test/t/sp-security.test:
Update test.
sql/sql_acl.cc:
Check stored routines privileges.
Diffstat (limited to 'mysql-test/t')
-rw-r--r-- | mysql-test/t/grant.test | 83 | ||||
-rw-r--r-- | mysql-test/t/sp-security.test | 77 |
2 files changed, 131 insertions, 29 deletions
diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test index 82bf011d32f..92ed69d3f4b 100644 --- a/mysql-test/t/grant.test +++ b/mysql-test/t/grant.test @@ -875,4 +875,87 @@ GRANT PROCESS ON * TO user@localhost; disconnect con1; connection default; + +# +# BUG#9504: Stored procedures: execute privilege doesn't make 'use database' +# okay. +# + +# Prepare. + +--disable_warnings +DROP DATABASE IF EXISTS mysqltest1; +DROP DATABASE IF EXISTS mysqltest2; +DROP DATABASE IF EXISTS mysqltest3; +DROP DATABASE IF EXISTS mysqltest4; +--enable_warnings + +CREATE DATABASE mysqltest1; +CREATE DATABASE mysqltest2; +CREATE DATABASE mysqltest3; +CREATE DATABASE mysqltest4; + +CREATE PROCEDURE mysqltest1.p_def() SQL SECURITY DEFINER + SELECT 1; + +CREATE PROCEDURE mysqltest2.p_inv() SQL SECURITY INVOKER + SELECT 1; + +CREATE FUNCTION mysqltest3.f_def() RETURNS INT SQL SECURITY DEFINER + RETURN 1; + +CREATE FUNCTION mysqltest4.f_inv() RETURNS INT SQL SECURITY INVOKER + RETURN 1; + +GRANT EXECUTE ON PROCEDURE mysqltest1.p_def TO mysqltest_1@localhost; +GRANT EXECUTE ON PROCEDURE mysqltest2.p_inv TO mysqltest_1@localhost; +GRANT EXECUTE ON FUNCTION mysqltest3.f_def TO mysqltest_1@localhost; +GRANT EXECUTE ON FUNCTION mysqltest4.f_inv TO mysqltest_1@localhost; + +GRANT ALL PRIVILEGES ON test.* TO mysqltest_1@localhost; + +# Test. + +--connect (bug9504_con1,localhost,mysqltest_1,,) +--echo +--echo ---> connection: bug9504_con1 + +# - Check that we can switch to the db; + +use mysqltest1; + +use mysqltest2; + +use mysqltest3; + +use mysqltest4; + +# - Check that we can call stored routines; + +use test; + +CALL mysqltest1.p_def(); + +CALL mysqltest2.p_inv(); + +SELECT mysqltest3.f_def(); + +SELECT mysqltest4.f_inv(); + +# Cleanup. + +--connection default +--echo +--echo ---> connection: default + +--disconnect bug9504_con1 + +DROP DATABASE mysqltest1; +DROP DATABASE mysqltest2; +DROP DATABASE mysqltest3; +DROP DATABASE mysqltest4; + +DROP USER mysqltest_1@localhost; + + --echo End of 5.0 tests diff --git a/mysql-test/t/sp-security.test b/mysql-test/t/sp-security.test index a5d509f29b7..38c72fd4fa6 100644 --- a/mysql-test/t/sp-security.test +++ b/mysql-test/t/sp-security.test @@ -28,6 +28,7 @@ drop procedure db1_secret.dummy; use db1_secret; create table t1 ( u varchar(64), i int ); +insert into t1 values('test', 0); # A test procedure and function create procedure stamp(i int) @@ -35,7 +36,16 @@ create procedure stamp(i int) --replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00' show procedure status like 'stamp'; -create function db() returns varchar(64) return database(); +delimiter |; +create function db() returns varchar(64) +begin + declare v varchar(64); + + select u into v from t1 limit 1; + + return v; +end| +delimiter ;| --replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00' show function status like 'db'; @@ -63,14 +73,18 @@ call db1_secret.stamp(2); select db1_secret.db(); # ...but not this ---error 1142 +--error ER_TABLEACCESS_DENIED_ERROR select * from db1_secret.t1; # ...and not this ---error 1044 +--error ER_DBACCESS_DENIED_ERROR create procedure db1_secret.dummy() begin end; ---error 1305 +--error ER_SP_DOES_NOT_EXIST drop procedure db1_secret.dummy; +--error ER_PROCACCESS_DENIED_ERROR +drop procedure db1_secret.stamp; +--error ER_PROCACCESS_DENIED_ERROR +drop function db1_secret.db; # @@ -83,14 +97,18 @@ call db1_secret.stamp(3); select db1_secret.db(); # ...but not this ---error 1142 +--error ER_TABLEACCESS_DENIED_ERROR select * from db1_secret.t1; # ...and not this ---error 1044 +--error ER_DBACCESS_DENIED_ERROR create procedure db1_secret.dummy() begin end; ---error 1305 +--error ER_SP_DOES_NOT_EXIST drop procedure db1_secret.dummy; +--error ER_PROCACCESS_DENIED_ERROR +drop procedure db1_secret.stamp; +--error ER_PROCACCESS_DENIED_ERROR +drop function db1_secret.db; # @@ -121,9 +139,9 @@ select db(); connection con2user1; # This should not work ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR call db1_secret.stamp(5); ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR select db1_secret.db(); # @@ -132,9 +150,9 @@ select db1_secret.db(); connection con3anon; # This should not work ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR call db1_secret.stamp(6); ---error 1044 +--error ER_TABLEACCESS_DENIED_ERROR select db1_secret.db(); # @@ -165,7 +183,7 @@ use db2; create procedure p () insert into t2 values (1); # Check that this doesn't work. ---error 1142 +--error ER_TABLEACCESS_DENIED_ERROR call p(); connect (con4user2,localhost,user2,,); @@ -174,7 +192,7 @@ connection con4user2; use db2; # This should not work, since p is executed with definer's (user1's) rights. ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call p(); select * from t2; @@ -207,9 +225,9 @@ alter procedure p modifies sql data; drop procedure p; # This should NOT work ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR alter procedure q modifies sql data; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure q; connection con1root; @@ -260,30 +278,30 @@ connect (con4userc,localhost,userc,,); connection con2usera; call sptest.p1(1); ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con3userb; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call sptest.p1(2); ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con4userc; call sptest.p1(3); grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con3userb; call sptest.p1(4); ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR grant execute on procedure sptest.p1 to userb@localhost; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR drop procedure sptest.p1; connection con1root; @@ -332,7 +350,7 @@ delimiter ;// connect (user1,localhost,user1,,test); connection user1; use mysqltest; --- error 1370 +-- error ER_PROCACCESS_DENIED_ERROR select bug_9503(); connection root; @@ -401,13 +419,13 @@ grant usage on *.* to mysqltest_1@localhost; connect (n1,localhost,mysqltest_1,,information_schema,$MASTER_MYPORT,$MASTER_MYSOCK); connection n1; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call mysqltest_1.p1(); disconnect n1; # Test also without a current database connect (n2,localhost,mysqltest_1,,*NO-ONE*,$MASTER_MYPORT,$MASTER_MYSOCK); connection n2; ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR call mysqltest_1.p1(); disconnect n2; @@ -433,9 +451,9 @@ end; create user user_bug12812@localhost IDENTIFIED BY 'ABC'| --replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK connect (test_user_12812,localhost,user_bug12812,ABC,test)| ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR SELECT test.bug12812()| ---error 1370 +--error ER_PROCACCESS_DENIED_ERROR CREATE VIEW v1 AS SELECT test.bug12812()| # Cleanup connection default| @@ -489,7 +507,8 @@ drop database db_bug14834; # -# BUG#14533: 'desc tbl' in stored procedure causes error 1142 +# BUG#14533: 'desc tbl' in stored procedure causes error +# ER_TABLEACCESS_DENIED_ERROR # create database db_bug14533; use db_bug14533; |