From 1cb6dc2b37c9dcf9bfeed2471b8562e78a33b25f Mon Sep 17 00:00:00 2001
From: unknown <evgen@sunlight.local>
Date: Thu, 20 Sep 2007 18:05:09 +0400
Subject: Bug#29908: A user can gain additional access through the ALTER VIEW.

Non-definer of a view was allowed to alter that view. Due to this the alterer
can elevate his access rights to access rights of the view definer and thus
modify data which he wasn't allowed to modify. A view defined with
SQL SECURITY INVOKER can't be used directly for access rights elevation.
But a user can first alter the view SQL code and then alter the view to
SQL SECURITY DEFINER and thus elevate his access rights. Due to this
altering a view with SQL SECURITY INVOKER is also prohibited.

Now the mysql_create_view function allows ALTER VIEW only to the view
definer or a super user.


mysql-test/t/view_grant.test:
  Added a test case for the bug#29908: A user can gain additional access through the
  ALTER VIEW.
  A test case was adjusted after fixfing bug#29908.
mysql-test/r/view_grant.result:
  Added a test case for the bug#29908: A user can gain additional access through the
  ALTER VIEW.
sql/sql_view.cc:
  Bug#29908: A user can gain additional access through the ALTER VIEW.
  Now the mysql_create_view function allows ALTER VIEW only to the view
  definer or a super user.
---
 sql/sql_view.cc | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'sql/sql_view.cc')

diff --git a/sql/sql_view.cc b/sql/sql_view.cc
index 35a97411511..28677cf8a72 100644
--- a/sql/sql_view.cc
+++ b/sql/sql_view.cc
@@ -223,9 +223,6 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
 {
   LEX *lex= thd->lex;
   bool link_to_local;
-#ifndef NO_EMBEDDED_ACCESS_CHECKS
-  bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer;
-#endif
   /* first table in list is target VIEW name => cut off it */
   TABLE_LIST *view= lex->unlink_first_table(&link_to_local);
   TABLE_LIST *tables= lex->query_tables;
@@ -280,7 +277,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
       - same as current user
       - current user has SUPER_ACL
   */
-  if (definer_check_is_needed &&
+  if (lex->definer &&
       (strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 ||
        my_strcasecmp(system_charset_info,
                      lex->definer->host.str,
-- 
cgit v1.2.1