3803 Tor Didriksen 2012-01-30 [merge]
merge 5.5 => trunk
modified:
libmysql/CMakeLists.txt
3802 Praveenkumar Hulakund 2012-01-30
BUG#12602983 - USER WITHOUT PRIVILEGE ON ROUTINE CAN DISCOVER ITS EXISTENCE
(TAKE #2)
Description:
------------------------------------------------
User which doesn't have any privileges on the routine or on mysql.proc table
still is able to discover its existence. This is wrong as one should not know
anything about a database object unless one has privileges on it.
Analysis:
------------------------------------------------
The problem was, user without any privileges on routine was able to find
out whether it existed or not. "select <func_name>" and "call <proc_name>"
were checking for the existence of the <func_name> or <proc_name>" before
checking whether user has enough privileges to execute function or not.
Error "<func_name> doesn't exists" or "<proc_name> doesn't exists" was
reported.
For CREATE, ALTER, DROP we are already providing proper error
DROP:
---------
mysql> drop function mysqltest.f1;
ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
routine 'mysqltest.f1'
mysql> drop procedure mysqltest.f1;
ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
routine 'mysqltest.f1'
CREATE:
----------
mysql> create function mysqltest.f1() returns int return 0;
ERROR 1044 (42000): Access denied for user ''@'localhost' to database
'mysqltest'
mysql> create procedure mysqltest.p1() begin end;
ERROR 1044 (42000): Access denied for user ''@'localhost' to database
'mysqltest'
ALTER:
---------
mysql> alter function mysqltest.f1 comment "TESTING";
ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
routine 'mysqltest.f1'
mysql> alter procedure mysqltest.f1 comment "TESTING";
ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for
routine 'mysqltest.f1'
For "SELECT <function_name>" and "CALL <procedure_name>" we were
providing "doesn't exists" error. Also when non existing function is used while
creating the views we see same issue.
Fix:
------------------------------------------------
SELECT and CALL didn't have the logic to check execute privilege on routine for
the user. This patch solves problem by checking the privileges to user before
checking the existence of the function.
@ mysql-test/r/lowercase_fs_off.result
Permission to execute procedure is verified before searching the procedure.
Since, procedure name printed from the name specified in query now, new o/p
has capital P in db1.P1 (for the statement "call db1.P1")
@ sql/item_func.cc
For stored functions call in select and create view, checking the privilege to
execute stored function before checking the existence of it by calling
"check_routine_access".
@ sql/sql_parse.cc
Checking the privilege to execute stored procedure before checking the existence
of it by calling "check_routine_access".
modified:
mysql-test/r/lowercase_fs_off.result
mysql-test/r/sp-security.result
mysql-test/t/sp-security.test
sql/item_func.cc
sql/sql_parse.cc
=== modified file 'libmysql/CMakeLists.txt'
--- a/libmysql/CMakeLists.txt 2011-11-18 12:48:52 +0000
+++ b/libmysql/CMakeLists.txt 2012-01-30 09:30:13 +0000
@@ -25,6 +25,8 @@ INCLUDE_DIRECTORIES(
ADD_DEFINITIONS(${SSL_DEFINES})
SET(CLIENT_API_FUNCTIONS
+get_tty_password
+handle_options
load_defaults
mysql_thread_end
mysql_thread_init
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-trunk branch (tor.didriksen:3802 to 3803) | Tor Didriksen | 30 Jan |
