List:Commits« Previous MessageNext Message »
From:Tor Didriksen Date:January 30 2012 9:31am
Subject:bzr push into mysql-trunk branch (tor.didriksen:3802 to 3803)
View as plain text  
 3803 Tor Didriksen	2012-01-30 [merge]
      merge 5.5 => trunk

    modified:
      libmysql/CMakeLists.txt
 3802 Praveenkumar Hulakund	2012-01-30
      BUG#12602983 - USER WITHOUT PRIVILEGE ON ROUTINE CAN DISCOVER ITS EXISTENCE
                       (TAKE #2)
        
        Description:
        ------------------------------------------------
        User which doesn't have any privileges on the routine or on mysql.proc table 
        still is able to discover its existence. This is wrong as one should not know 
        anything about a database object unless one has privileges on it.
        
        Analysis:
        ------------------------------------------------
        The problem was, user without any privileges on routine was able to find
        out whether it existed or not. "select <func_name>" and "call <proc_name>" 
        were checking for the existence of the <func_name> or <proc_name>" before 
        checking whether user has enough privileges to execute function or not. 
        Error "<func_name> doesn't exists" or "<proc_name> doesn't exists" was 
        reported.
        
        For CREATE, ALTER, DROP we are already providing proper error
            DROP:
            ---------
            mysql> drop function mysqltest.f1;
            ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                                routine 'mysqltest.f1'
            mysql> drop procedure  mysqltest.f1;
            ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                                routine 'mysqltest.f1'
            
            CREATE:
            ----------
            mysql> create function mysqltest.f1() returns int return 0; 
            ERROR 1044 (42000): Access denied for user ''@'localhost' to database 
                                'mysqltest'
            mysql> create procedure mysqltest.p1() begin end; 
            ERROR 1044 (42000): Access denied for user ''@'localhost' to database 
                                'mysqltest'
            
            ALTER:
            ---------
            mysql> alter function mysqltest.f1 comment "TESTING";
            ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
                                routine 'mysqltest.f1'
            mysql> alter procedure  mysqltest.f1 comment "TESTING";
            ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for 
                                routine 'mysqltest.f1'
        
        For "SELECT <function_name>" and "CALL <procedure_name>" we were 
        providing "doesn't exists" error.  Also when non existing function is used while
        creating the views we see same issue.
        
        Fix:
        ------------------------------------------------
        SELECT and CALL didn't have the logic to check execute privilege on routine for
        the user. This patch solves problem by checking the privileges to user before 
        checking the existence of the function.
     @ mysql-test/r/lowercase_fs_off.result
            Permission to execute procedure is verified before searching the procedure.
            Since, procedure name printed from the name specified in query now, new o/p
            has capital P in  db1.P1 (for the statement "call db1.P1")
     @ sql/item_func.cc
            For stored functions call in select and create view, checking the privilege to
            execute stored function before checking the existence of it by calling
            "check_routine_access".
     @ sql/sql_parse.cc
            Checking the privilege to execute stored procedure before checking the existence
            of it by calling "check_routine_access".

    modified:
      mysql-test/r/lowercase_fs_off.result
      mysql-test/r/sp-security.result
      mysql-test/t/sp-security.test
      sql/item_func.cc
      sql/sql_parse.cc
=== modified file 'libmysql/CMakeLists.txt'
--- a/libmysql/CMakeLists.txt	2011-11-18 12:48:52 +0000
+++ b/libmysql/CMakeLists.txt	2012-01-30 09:30:13 +0000
@@ -25,6 +25,8 @@ INCLUDE_DIRECTORIES(
 ADD_DEFINITIONS(${SSL_DEFINES})
 
 SET(CLIENT_API_FUNCTIONS
+get_tty_password
+handle_options
 load_defaults
 mysql_thread_end
 mysql_thread_init

No bundle (reason: useless for push emails).
Thread
bzr push into mysql-trunk branch (tor.didriksen:3802 to 3803) Tor Didriksen30 Jan