diff options
Diffstat (limited to 'mysql-test/r/grant.result')
-rw-r--r-- | mysql-test/r/grant.result | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/mysql-test/r/grant.result b/mysql-test/r/grant.result index 17ff46d2269..0acf6f69323 100644 --- a/mysql-test/r/grant.result +++ b/mysql-test/r/grant.result @@ -2525,3 +2525,29 @@ DROP USER mysqltest_u1@localhost; # End of Bug#38347. +# +# Bug#11756966 - 48958: STORED PROCEDURES CAN BE LEVERAGED TO BYPASS +# DATABASE SECURITY +# +DROP DATABASE IF EXISTS secret; +DROP DATABASE IF EXISTS no_such_db; +CREATE DATABASE secret; +GRANT USAGE ON *.* TO untrusted@localhost; +# Connection con1 +SHOW GRANTS; +Grants for untrusted@localhost +GRANT USAGE ON *.* TO 'untrusted'@'localhost' +SHOW DATABASES; +Database +information_schema +test +# Both statements below should fail with the same error. +# They used to give different errors, thereby +# hinting that the secret database exists. +CREATE PROCEDURE no_such_db.foo() BEGIN END; +ERROR 42000: Access denied for user 'untrusted'@'localhost' to database 'no_such_db' +CREATE PROCEDURE secret.peek_at_secret() BEGIN END; +ERROR 42000: Access denied for user 'untrusted'@'localhost' to database 'secret' +# Connection default +DROP USER untrusted@localhost; +DROP DATABASE secret; |