• Developer Zone
• Lists Home
• FAQ

Below is the list of changes that have just been committed into a local
5.0 repository of gluh. When gluh does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-08-20 11:23:08+05:00, gluh@stripped +4 -0
  Bug#27629 Possible security flaw in INFORMATION_SCHEMA and SHOW statements
  added SUPER_ACL check for I_S.TRIGGERS

  mysql-test/r/information_schema.result@stripped, 2007-08-20 11:23:06+05:00, gluh@stripped
+25 -1
    result fix

  mysql-test/r/information_schema_db.result@stripped, 2007-08-20 11:23:06+05:00,
gluh@stripped +0 -2
    result fix

  mysql-test/t/information_schema.test@stripped, 2007-08-20 11:23:06+05:00, gluh@stripped +26
-0
    test case

  sql/sql_show.cc@stripped, 2007-08-20 11:23:06+05:00, gluh@stripped +8 -2
    added SUPER_ACL check for I_S.TRIGGERS

diff -Nrup a/mysql-test/r/information_schema.result
b/mysql-test/r/information_schema.result
--- a/mysql-test/r/information_schema.result	2007-07-12 02:10:26 +05:00
+++ b/mysql-test/r/information_schema.result	2007-08-20 11:23:06 +05:00
@@ -180,7 +180,6 @@ t1	a	select
 show columns from mysqltest.t1;
 Field	Type	Null	Key	Default	Extra
 a	int(11)	YES		NULL	
-b	varchar(30)	YES	MUL	NULL	
 select table_name, column_name, privileges from information_schema.columns
 where table_schema = 'mysqltest' and table_name = 'v1';
 table_name	column_name	privileges
@@ -1330,4 +1329,29 @@ alter database;
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '' at line 1
 alter database test;
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '' at line 1
+create database mysqltest;
+create table mysqltest.t1(a int, b int, c int);
+create trigger mysqltest.t1_ai after insert on mysqltest.t1
+for each row set @a = new.a + new.b + new.c;
+grant select(b) on mysqltest.t1 to mysqltest_1@localhost;
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+trigger_name
+t1_ai
+show triggers from mysqltest;
+Trigger	Event	Table	Statement	Timing	Created	sql_mode	Definer
+t1_ai	INSERT	t1	set @a = new.a + new.b + new.c	AFTER	NULL		root@localhost
+show columns from t1;
+Field	Type	Null	Key	Default	Extra
+b	int(11)	YES		NULL	
+select column_name from information_schema.columns where table_name='t1';
+column_name
+b
+show triggers;
+Trigger	Event	Table	Statement	Timing	Created	sql_mode	Definer
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+trigger_name
+drop user mysqltest_1@localhost;
+drop database mysqltest;
 End of 5.0 tests.
diff -Nrup a/mysql-test/r/information_schema_db.result
b/mysql-test/r/information_schema_db.result
--- a/mysql-test/r/information_schema_db.result	2007-03-23 22:24:01 +04:00
+++ b/mysql-test/r/information_schema_db.result	2007-08-20 11:23:06 +05:00
@@ -140,13 +140,11 @@ create view v2 as select f1 from testdb_
 create view v4 as select f1,f2 from testdb_1.v3;
 show fields from testdb_1.v5;
 Field	Type	Null	Key	Default	Extra
-f1	char(4)	YES		NULL	
 show create view testdb_1.v5;
 View	Create View
 v5	CREATE ALGORITHM=UNDEFINED DEFINER=`testdb_1`@`localhost` SQL SECURITY DEFINER VIEW
`testdb_1`.`v5` AS select `testdb_1`.`t1`.`f1` AS `f1` from `testdb_1`.`t1`
 show fields from testdb_1.v6;
 Field	Type	Null	Key	Default	Extra
-f1	char(4)	YES		NULL	
 show create view testdb_1.v6;
 View	Create View
 v6	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW
`testdb_1`.`v6` AS select `testdb_1`.`t1`.`f1` AS `f1` from `testdb_1`.`t1`
diff -Nrup a/mysql-test/t/information_schema.test b/mysql-test/t/information_schema.test
--- a/mysql-test/t/information_schema.test	2007-07-12 02:10:26 +05:00
+++ b/mysql-test/t/information_schema.test	2007-08-20 11:23:06 +05:00
@@ -1045,4 +1045,30 @@ drop table t1,t2;
 alter database;
 --error ER_PARSE_ERROR
 alter database test;
+
+#
+# Bug#27629 Possible security flaw in INFORMATION_SCHEMA and SHOW statements
+#
+
+create database mysqltest;
+create table mysqltest.t1(a int, b int, c int);
+create trigger mysqltest.t1_ai after insert on mysqltest.t1
+  for each row set @a = new.a + new.b + new.c;
+grant select(b) on mysqltest.t1 to mysqltest_1@localhost;
+
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+show triggers from mysqltest;
+
+connect (con27629,localhost,mysqltest_1,,mysqltest);
+show columns from t1;
+select column_name from information_schema.columns where table_name='t1';
+
+show triggers;
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+connection default;
+drop user mysqltest_1@localhost;
+drop database mysqltest;
+
 --echo End of 5.0 tests.
diff -Nrup a/sql/sql_show.cc b/sql/sql_show.cc
--- a/sql/sql_show.cc	2007-07-28 17:01:43 +05:00
+++ b/sql/sql_show.cc	2007-08-20 11:23:06 +05:00
@@ -2684,8 +2684,7 @@ static int get_schema_column_record(THD 
     col_access= get_column_grant(thd, &tables->grant, 
                                  base_name, file_name,
                                  field->field_name) & COL_ACLS;
-    if (lex->orig_sql_command != SQLCOM_SHOW_FIELDS  && 
-        !tables->schema_table && !col_access)
+    if (!tables->schema_table && !col_access)
       continue;
     end= tmp;
     for (uint bitnr=0; col_access ; col_access>>=1,bitnr++)
@@ -3381,6 +3380,12 @@ static int get_schema_triggers_record(TH
   {
     Table_triggers_list *triggers= tables->table->triggers;
     int event, timing;
+
+#ifndef NO_EMBEDDED_ACCESS_CHECKS
+    if (!(thd->security_ctx->master_access & SUPER_ACL))
+      goto ret;
+#endif
+
     for (event= 0; event < (int)TRG_EVENT_MAX; event++)
     {
       for (timing= 0; timing < (int)TRG_ACTION_MAX; timing++)
@@ -3407,6 +3412,7 @@ static int get_schema_triggers_record(TH
       }
     }
   }
+ret:
   DBUG_RETURN(0);
 }