| List: | Commits | « Previous MessageNext Message » | |
| From: | Alexander Nozdrin | Date: | September 22 2007 2:34pm |
| Subject: | Re: bk commit into 5.0 tree (evgen:1.2526) BUG#29908 | ||
| View as plain text | |||
Hi, Ok to push. However, one more request: Could you please highlight in the CS comment, that the patch introduces backward incompatible changes. Thank you! On Thursday 20 September 2007 18:05, eugene@stripped wrote: > Below is the list of changes that have just been committed into a local > 5.0 repository of evgen. When evgen does a push these changes will > be propagated to the main repository and, within 24 hours after the > push, to the public repository. > For information on how to access the public repository > see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html > > ChangeSet@stripped, 2007-09-20 18:05:09+04:00, evgen@stripped +3 -0 > Bug#29908: A user can gain additional access through the ALTER VIEW. > > Non-definer of a view was allowed to alter that view. Due to this the alterer > can elevate his access rights to access rights of the view definer and thus > modify data which he wasn't allowed to modify. A view defined with > SQL SECURITY INVOKER can't be used directly for access rights elevation. > But a user can first alter the view SQL code and then alter the view to > SQL SECURITY DEFINER and thus elevate his access rights. Due to this > altering a view with SQL SECURITY INVOKER is also prohibited. > > Now the mysql_create_view function allows ALTER VIEW only to the view > definer or a super user. -- Alexander Nozdrin, Software Developer MySQL AB, Moscow, Russia, www.mysql.com
| Thread | ||
|---|---|---|
| • bk commit into 5.0 tree (evgen:1.2526) BUG#29908 | eugene | 20 Sep |
| • Re: bk commit into 5.0 tree (evgen:1.2526) BUG#29908 | Alexander Nozdrin | 22 Sep |
© 1995-2008 MySQL AB, 2008-2009 Sun Microsystems, Inc.
Page generated in 0.060 sec. using MySQL 5.1.14-beta-log