List:Commits« Previous MessageNext Message »
From:Evgeny Potemkin Date:August 26 2008 10:41pm
Subject:bzr commit into mysql-5.1 branch (epotemkin:2583) Bug#37908
View as plain text  
#At file:///work/bzr_trees/37908-5.1-opt/

 2583 Evgeny Potemkin	2008-08-27
      Bug#37908: Skipped access right check caused server crash.
      
      The check_table_access function initializes per-table grant info and performs
      access rights check. It wasn't called for SHOW STATUS statement thus left
      grants info uninitialized. In some cases this led to server crash. In other
      cases it allowed a user to check for presence/absence of arbitrary values in
      any tables.
      
      Now the check_table_access function is called prior to the statement
      processing.
modified:
  mysql-test/r/status.result
  mysql-test/t/disabled.def
  mysql-test/t/status.test
  sql/sql_parse.cc
  sql/sql_yacc.yy

per-file messages:
  mysql-test/r/status.result
    Added a test case for the bug#37908.
  mysql-test/t/disabled.def
    The bug#32966 is fixed, enabling test case.
  mysql-test/t/status.test
    Added a test case for the bug#37908.
  sql/sql_parse.cc
    Bug#37908: Skipped access right check caused server crash.
    Now the check_table_access function is called when the SHOW STATUS statement
    uses any table except information.STATUS.
  sql/sql_yacc.yy
    Bug#37908: Skipped access right check caused server crash.
    For the SHOW PROCEDURE/FUNCTION STATUS the 'mysql.proc' table isn't added
    to the table list anymore as there is no need.
=== modified file 'mysql-test/r/status.result'
--- a/mysql-test/r/status.result	2007-12-19 00:27:15 +0000
+++ b/mysql-test/r/status.result	2008-08-26 20:40:59 +0000
@@ -183,3 +183,20 @@ Com_create_function	1
 Com_drop_function	1
 Com_show_function_code	0
 Com_show_function_status	0
+create database db37908;
+create table db37908.t1(f1 int);
+insert into db37908.t1 values(1);
+grant usage on test.* to mysqltest_1@localhost;
+create procedure proc37908() begin select 1; end |
+select * from db37908.t1;
+ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1'
+show status where variable_name ='uptime' and 1 in (select f1 from db37908.t1);
+ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1'
+show status where variable_name ='uptime' and 2 in (select f1 from db37908.t1);
+ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1'
+show status where variable_name ='uptime' and 2 in (select * from db37908.t1);
+ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1'
+show procedure status where name ='proc37908' and 1 in (select f1 from db37908.t1);
+ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1'
+drop database db37908;
+drop procedure proc37908;

=== modified file 'mysql-test/t/disabled.def'
--- a/mysql-test/t/disabled.def	2008-03-29 12:19:53 +0000
+++ b/mysql-test/t/disabled.def	2008-08-26 20:40:59 +0000
@@ -16,6 +16,5 @@ federated_transactions   : Bug#29523 Tra
 lowercase_table3         : Bug#32667 lowercase_table3.test reports to error log
 innodb_mysql         : Bug#32724: innodb_mysql.test fails randomly
 ctype_create         : Bug#32965 main.ctype_create fails
-status               : Bug#32966 main.status fails
 ps_ddl               : Bug#12093 2007-12-14 pending WL#4165 / WL#4166
 csv_alter_table      : Bug#33696 2008-01-21 pcrews no .result file - bug allows NULL
columns in CSV tables

=== modified file 'mysql-test/t/status.test'
--- a/mysql-test/t/status.test	2007-12-14 23:27:40 +0000
+++ b/mysql-test/t/status.test	2008-08-26 20:40:59 +0000
@@ -260,5 +260,36 @@ drop function f1;
 
 show global status like 'Com%function%';
 
+#
+# Bug#37908: Skipped access right check caused server crash.
+#
+connect (root, localhost, root,,test);
+connection root;
+--disable_warnings
+create database db37908;
+--enable_warnings
+create table db37908.t1(f1 int);
+insert into db37908.t1 values(1);
+grant usage on test.* to mysqltest_1@localhost;
+delimiter |;
+create procedure proc37908() begin select 1; end |
+delimiter ;|
 
+connect (user1,localhost,mysqltest_1,,test);
+connection user1;
+
+--error 1142
+select * from db37908.t1;
+--error 1142
+show status where variable_name ='uptime' and 1 in (select f1 from db37908.t1);
+--error 1142
+show status where variable_name ='uptime' and 2 in (select f1 from db37908.t1);
+--error 1142
+show status where variable_name ='uptime' and 2 in (select * from db37908.t1);
+--error 1142
+show procedure status where name ='proc37908' and 1 in (select f1 from db37908.t1);
+
+connection root;
+drop database db37908;
+drop procedure proc37908;
 # End of 5.1 tests

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2008-04-07 13:43:45 +0000
+++ b/sql/sql_parse.cc	2008-08-26 20:40:59 +0000
@@ -2001,13 +2001,15 @@ mysql_execute_command(THD *thd)
   case SQLCOM_SHOW_EVENTS:
   case SQLCOM_SHOW_STATUS_PROC:
   case SQLCOM_SHOW_STATUS_FUNC:
-    res= execute_sqlcom_select(thd, all_tables);
+    if (!(res= check_table_access(thd, SELECT_ACL, all_tables, UINT_MAX, FALSE)))
+      res= execute_sqlcom_select(thd, all_tables);
     break;
   case SQLCOM_SHOW_STATUS:
   {
     system_status_var old_status_var= thd->status_var;
     thd->initial_status_var= &old_status_var;
-    res= execute_sqlcom_select(thd, all_tables);
+    if (!(res= check_table_access(thd, SELECT_ACL, all_tables, UINT_MAX, FALSE)))
+      res= execute_sqlcom_select(thd, all_tables);
     /* Don't log SHOW STATUS commands to slow query log */
     thd->server_status&= ~(SERVER_QUERY_NO_INDEX_USED |
                            SERVER_QUERY_NO_GOOD_INDEX_USED);

=== modified file 'sql/sql_yacc.yy'
--- a/sql/sql_yacc.yy	2008-04-19 14:07:43 +0000
+++ b/sql/sql_yacc.yy	2008-08-26 20:40:59 +0000
@@ -9358,8 +9358,6 @@ show_param:
           {
             LEX *lex= Lex;
             lex->sql_command= SQLCOM_SHOW_STATUS_PROC;
-            if (!sp_add_to_query_tables(YYTHD, lex, "mysql", "proc", TL_READ))
-              MYSQL_YYABORT;
             if (prepare_schema_table(YYTHD, lex, 0, SCH_PROCEDURES))
               MYSQL_YYABORT;
           }
@@ -9367,8 +9365,6 @@ show_param:
           {
             LEX *lex= Lex;
             lex->sql_command= SQLCOM_SHOW_STATUS_FUNC;
-            if (!sp_add_to_query_tables(YYTHD, lex, "mysql", "proc", TL_READ))
-              MYSQL_YYABORT;
             if (prepare_schema_table(YYTHD, lex, 0, SCH_PROCEDURES))
               MYSQL_YYABORT;
           }
Thread
bzr commit into mysql-5.1 branch (epotemkin:2583) Bug#37908Evgeny Potemkin26 Aug
  • Re: bzr commit into mysql-5.1 branch (epotemkin:2583) Bug#37908Sergei Golubchik27 Aug