From: Tor Didriksen Date: January 30 2012 9:31am Subject: bzr push into mysql-trunk branch (tor.didriksen:3802 to 3803) List-Archive: http://lists.mysql.com/commits/142626 Message-Id: <201201300931.q0U9V4aV015508@acsmt356.oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 3803 Tor Didriksen 2012-01-30 [merge] merge 5.5 => trunk modified: libmysql/CMakeLists.txt 3802 Praveenkumar Hulakund 2012-01-30 BUG#12602983 - USER WITHOUT PRIVILEGE ON ROUTINE CAN DISCOVER ITS EXISTENCE (TAKE #2) Description: ------------------------------------------------ User which doesn't have any privileges on the routine or on mysql.proc table still is able to discover its existence. This is wrong as one should not know anything about a database object unless one has privileges on it. Analysis: ------------------------------------------------ The problem was, user without any privileges on routine was able to find out whether it existed or not. "select " and "call " were checking for the existence of the or " before checking whether user has enough privileges to execute function or not. Error " doesn't exists" or " doesn't exists" was reported. For CREATE, ALTER, DROP we are already providing proper error DROP: --------- mysql> drop function mysqltest.f1; ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for routine 'mysqltest.f1' mysql> drop procedure mysqltest.f1; ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for routine 'mysqltest.f1' CREATE: ---------- mysql> create function mysqltest.f1() returns int return 0; ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'mysqltest' mysql> create procedure mysqltest.p1() begin end; ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'mysqltest' ALTER: --------- mysql> alter function mysqltest.f1 comment "TESTING"; ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for routine 'mysqltest.f1' mysql> alter procedure mysqltest.f1 comment "TESTING"; ERROR 1370 (42000): alter routine command denied to user ''@'localhost' for routine 'mysqltest.f1' For "SELECT " and "CALL " we were providing "doesn't exists" error. Also when non existing function is used while creating the views we see same issue. Fix: ------------------------------------------------ SELECT and CALL didn't have the logic to check execute privilege on routine for the user. This patch solves problem by checking the privileges to user before checking the existence of the function. @ mysql-test/r/lowercase_fs_off.result Permission to execute procedure is verified before searching the procedure. Since, procedure name printed from the name specified in query now, new o/p has capital P in db1.P1 (for the statement "call db1.P1") @ sql/item_func.cc For stored functions call in select and create view, checking the privilege to execute stored function before checking the existence of it by calling "check_routine_access". @ sql/sql_parse.cc Checking the privilege to execute stored procedure before checking the existence of it by calling "check_routine_access". modified: mysql-test/r/lowercase_fs_off.result mysql-test/r/sp-security.result mysql-test/t/sp-security.test sql/item_func.cc sql/sql_parse.cc === modified file 'libmysql/CMakeLists.txt' --- a/libmysql/CMakeLists.txt 2011-11-18 12:48:52 +0000 +++ b/libmysql/CMakeLists.txt 2012-01-30 09:30:13 +0000 @@ -25,6 +25,8 @@ INCLUDE_DIRECTORIES( ADD_DEFINITIONS(${SSL_DEFINES}) SET(CLIENT_API_FUNCTIONS +get_tty_password +handle_options load_defaults mysql_thread_end mysql_thread_init No bundle (reason: useless for push emails).