Bug#7391 - Multi-table UPDATE security regression

  Add in missing privilege checks. 
  Tests for the privileges.


mysql-test/r/grant.result:
  Bug#7391 - Multi-table UPDATE security regression
    Tests column, table and db level access
mysql-test/t/grant.test:
  Bug#7391 - Multi-table UPDATE security regression
    Tests column, table and db level access
sql/sql_update.cc:
  Bug#7391 - Multi-table UPDATE security regression
    Add in missing privilege checks.

1 files changed, 20 insertions, 0 deletions

diff --git a/sql/sql_update.cc b/sql/sql_update.cc
index cdcc90e8651..f7355f2e9b6 100644
--- a/sql/sql_update.cc
+++ b/sql/sql_update.cc
@@ -465,21 +465,34 @@ int mysql_multi_update(THD *thd,
     */
     for (tl= table_list ; tl ; tl=tl->next)
     {
+      TABLE_LIST *save= tl->next;
       TABLE *table= tl->table;
+      uint wants;
+      tl->next= 0;
       if (update_map & table->map) 
       {
 	DBUG_PRINT("info",("setting table `%s` for update", tl->alias));
 	tl->lock_type= thd->lex.lock_option;
 	tl->updating= 1;
+	wants= UPDATE_ACL;
       }
       else
       {
 	DBUG_PRINT("info",("setting table `%s` for read-only", tl->alias));
 	tl->lock_type= TL_READ;
 	tl->updating= 0;
+	wants= SELECT_ACL;
       }
       if (!using_lock_tables)
 	tl->table->reginfo.lock_type= tl->lock_type;
+
+      if (check_access(thd, wants, tl->db, &tl->grant.privilege, 0, 0) ||
+          (grant_option && check_grant(thd, wants, tl, 0, 0)))
+      {
+	tl->next= save;
+	DBUG_RETURN(0);
+      }
+      tl->next= save;
     }
 
     /* Relock the tables with the correct modes */
@@ -541,6 +554,13 @@ int mysql_multi_update(THD *thd,
     }
   }
 
+  /*
+    If we have no WHERE clause, make it true otherwise the Select
+    examines the privileges
+  */
+  if (!conds)
+    conds= new Item_int("1", 1LL, 1);
+  
   if (!(result=new multi_update(thd, table_list, fields, values,
 				handle_duplicates)))
     DBUG_RETURN(-1);