Fix for bug #58499 "DEFINER-security view selecting from

INVOKER-security view access check wrong". When privilege checks were done for tables used from an INVOKER-security view which in its turn was used from a DEFINER-security view connection's active security context was incorrectly used instead of security context with privileges of the second view's creator. This meant that users which had enough rights to access the DEFINER-security view and as result were supposed to be able successfully access it were unable to do so in cases when they didn't have privileges on underlying tables of the INVOKER-security view. This problem was caused by the fact that for INVOKER-security views TABLE_LIST::security_ctx member for underlying tables were set to 0 even in cases when particular view was used from another DEFINER-security view. This meant that when checks of privileges on these underlying tables was done in setup_tables_and_check_access() active connection security context was used instead of context corresponding to the creator of caller view. This fix addresses the problem by ensuring that underlying tables of an INVOKER-security view inherit security context from the view and thus correct security context is used for privilege checks on underlying tables in cases when such view is used from another view with DEFINER-security. mysql-test/r/view_grant.result: Added coverage for various combinations of DEFINER and INVOKER-security views, including test for bug #58499 "DEFINER-security view selecting from INVOKER-security view access check wrong". mysql-test/t/view_grant.test: Added coverage for various combinations of DEFINER and INVOKER-security views, including test for bug #58499 "DEFINER-security view selecting from INVOKER-security view access check wrong". sql/sql_view.cc: When opening a non-suid view ensure that its underlying tables will get the same security context as use for checking privileges on the view, i.e. security context of view invoker. This context can be different from the security context which is currently active for connection in cases when this non-suid view is used from a view with suid security. Inheriting security context in such situation allows correctly apply privileges of creator of suid view in checks for tables of non-suid view (since in this situation creator/definer of suid view serves as invoker for non-suid view).
author: Dmitry Lenev <Dmitry.Lenev@oracle.com> 2011-01-12 16:08:30 +0300
committer: Dmitry Lenev <Dmitry.Lenev@oracle.com> 2011-01-12 16:08:30 +0300
commit: 599457ae2c99944dc9c3a0de6a6792a437abfe7e (patch)
tree: a87619822b347c773fec5bbc601385ab7a1cbb6d /sql/sql_view.cc
parent: 3c5662c1951f59295a41b05274ed0be793b01843 (diff)
download: mariadb-git-599457ae2c99944dc9c3a0de6a6792a437abfe7e.tar.gz
1 files changed, 28 insertions, 14 deletions
diff --git a/sql/sql_view.cc b/sql/sql_view.cc
index 6cb4f590ae0..a25ef931344 100644
--- a/sql/sql_view.cc
+++ b/sql/sql_view.cc
@@ -1255,6 +1255,7 @@ bool mysql_make_view(THD *thd, File_parser *parser, TABLE_LIST *table,
     TABLE_LIST *view_tables= lex->query_tables;
     TABLE_LIST *view_tables_tail= 0;
     TABLE_LIST *tbl;
+    Security_context *security_ctx;
 
     /*
       Check rights to run commands (EXPLAIN SELECT & SHOW CREATE) which show
@@ -1396,26 +1397,39 @@ bool mysql_make_view(THD *thd, File_parser *parser, TABLE_LIST *table,
     if (table->view_suid)
     {
       /*
-        Prepare a security context to check underlying objects of the view
+        For suid views prepare a security context for checking underlying
+        objects of the view.
       */
       if (!(table->view_sctx= (Security_context *)
             thd->stmt_arena->alloc(sizeof(Security_context))))
         goto err;
-      /* Assign the context to the tables referenced in the view */
-      if (view_tables)
-      {
-        DBUG_ASSERT(view_tables_tail);
-        for (tbl= view_tables; tbl != view_tables_tail->next_global;
-             tbl= tbl->next_global)
-          tbl->security_ctx= table->view_sctx;
-      }
-      /* assign security context to SELECT name resolution contexts of view */
-      for(SELECT_LEX *sl= lex->all_selects_list;
-          sl;
-          sl= sl->next_select_in_list())
-        sl->context.security_ctx= table->view_sctx;
+      security_ctx= table->view_sctx;
+    }
+    else
+    {
+      /*
+        For non-suid views inherit security context from view's table list.
+        This allows properly handle situation when non-suid view is used
+        from within suid view.
+      */
+      security_ctx= table->security_ctx;
+    }
+
+    /* Assign the context to the tables referenced in the view */
+    if (view_tables)
+    {
+      DBUG_ASSERT(view_tables_tail);
+      for (tbl= view_tables; tbl != view_tables_tail->next_global;
+           tbl= tbl->next_global)
+        tbl->security_ctx= security_ctx;
     }
 
+    /* assign security context to SELECT name resolution contexts of view */
+    for(SELECT_LEX *sl= lex->all_selects_list;
+        sl;
+        sl= sl->next_select_in_list())
+      sl->context.security_ctx= security_ctx;
+
     /*
       Setup an error processor to hide error messages issued by stored
       routines referenced in the view
author	Dmitry Lenev <Dmitry.Lenev@oracle.com>	2011-01-12 16:08:30 +0300
committer	Dmitry Lenev <Dmitry.Lenev@oracle.com>	2011-01-12 16:08:30 +0300
commit	599457ae2c99944dc9c3a0de6a6792a437abfe7e (patch)
tree	a87619822b347c773fec5bbc601385ab7a1cbb6d /sql/sql_view.cc
parent	3c5662c1951f59295a41b05274ed0be793b01843 (diff)
download	mariadb-git-599457ae2c99944dc9c3a0de6a6792a437abfe7e.tar.gz