• Developer Zone
• Lists Home
• FAQ

#At file:///data0/martin/bzr/5.1-5.1.29-rc-privilege-bugs/

 2678 Martin Hansson	2008-09-09
      Bug#35600: Security breach via view, I_S table and prepared
      statement/stored procedure
      
      View privileges are properly checked after the fix for bug no 
      36086, so the method TABLE_LIST::get_db_name() must be used 
      instead of field TABLE_LIST::db, as this only works for tables.
      Bug appears when accessing views in prepared statements.
modified:
  mysql-test/r/view_grant.result
  mysql-test/t/view_grant.test
  sql/sql_parse.cc

per-file messages:
  mysql-test/r/view_grant.result
    Bug#35600: Extended existing test case.
  mysql-test/t/view_grant.test
    Bug#35600: Extended existing test result.
  sql/sql_parse.cc
    Bug#35600: Using method to retrieve database name instead of
    field.
=== modified file 'mysql-test/r/view_grant.result'
--- a/mysql-test/r/view_grant.result	2008-09-03 14:45:40 +0000
+++ b/mysql-test/r/view_grant.result	2008-09-09 10:49:08 +0000
@@ -978,7 +978,9 @@ CREATE DATABASE mysqltest1;
 USE mysqltest1;
 CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1;
 CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A;
+CREATE VIEW test.v3 AS SELECT 1 AS a;
 GRANT SELECT ON mysqltest1.* to mysqluser1@localhost;
+GRANT ALL ON test.* TO mysqluser1@localhost;
 PREPARE stmt_v1     FROM "SELECT * FROM mysqltest1.v1";
 PREPARE stmt_v2 FROM "SELECT * FROM mysqltest1.v2";
 REVOKE SELECT ON mysqltest1.* FROM mysqluser1@localhost;
@@ -986,6 +988,11 @@ EXECUTE stmt_v1;
 ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 'v1'
 EXECUTE stmt_v2;
 ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 'v2'
+PREPARE stmt FROM "SELECT a FROM v3";
+EXECUTE stmt;
+a
+1
 DROP VIEW v1, v2;
 DROP DATABASE mysqltest1;
+DROP VIEW test.v3;
 DROP USER mysqluser1@localhost;

=== modified file 'mysql-test/t/view_grant.test'
--- a/mysql-test/t/view_grant.test	2008-09-03 14:45:40 +0000
+++ b/mysql-test/t/view_grant.test	2008-09-09 10:49:08 +0000
@@ -1265,8 +1265,11 @@ USE mysqltest1;
 CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1;
 CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A;
 
+CREATE VIEW test.v3 AS SELECT 1 AS a;
+
 --connection default
 GRANT SELECT ON mysqltest1.* to mysqluser1@localhost;
+GRANT ALL ON test.* TO mysqluser1@localhost;
 
 --connect (connection1, localhost, mysqluser1, , test)
 PREPARE stmt_v1     FROM "SELECT * FROM mysqltest1.v1";
@@ -1281,9 +1284,15 @@ REVOKE SELECT ON mysqltest1.* FROM mysql
 EXECUTE stmt_v1;
 --error ER_TABLEACCESS_DENIED_ERROR
 EXECUTE stmt_v2;
-
 --disconnect connection1
+
+--connect (connection2, localhost, mysqluser1,,)
+PREPARE stmt FROM "SELECT a FROM v3";
+EXECUTE stmt;
+--disconnect connection2
+
 --connection default
 DROP VIEW v1, v2;
 DROP DATABASE mysqltest1;
+DROP VIEW test.v3;
 DROP USER mysqluser1@localhost;

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2008-09-03 14:45:40 +0000
+++ b/sql/sql_parse.cc	2008-09-09 10:49:08 +0000
@@ -5196,12 +5196,14 @@ check_table_access(THD *thd, ulong want_
       tables->grant.privilege= want_access;
     else if (tables->db && thd->db && strcmp(tables->db,
thd->db) == 0)
     {
-      if (check_access(thd,want_access,tables->db,&tables->grant.privilege,
-			 0, no_errors, test(tables->schema_table)))
+      if (check_access(thd, want_access, tables->get_db_name(),
+                       &tables->grant.privilege, 0, no_errors, 
+                       test(tables->schema_table)))
         goto deny;                            // Access denied
     }
-    else if (check_access(thd,want_access,tables->db,&tables->grant.privilege,
-			  0, no_errors, test(tables->schema_table)))
+    else if (check_access(thd, want_access, tables->get_db_name(),
+                          &tables->grant.privilege, 0, no_errors, 
+                          test(tables->schema_table)))
       goto deny;
   }
   thd->security_ctx= backup_ctx;