* Kristofer Pettersson <Kristofer.Pettersson@stripped> [09/05/28 18:57]:
> 2874 Kristofer Pettersson 2009-05-28
> Bug#44658 Create procedure makes server crash when user does not have ALL
> privilege
>
> MySQL crashes if a user without proper privileges attempts to create a
> procedure.
The patch is good, two comments:
1) Please change the calling convention of sp_exists_rotuine() and
sp_grant_privileges to return my_bool (TRUE error, FALSE success).
2) Instead of removing the call to my_error(), use push_warning()
extend the scope of the pushed internal error handler here:
> @@ -6224,7 +6220,6 @@ int sp_grant_privileges(THD *thd, const
> }
> else
> {
> - my_error(ER_PASSWD_LENGTH, MYF(0), SCRAMBLED_PASSWORD_CHAR_LENGTH);
> return -1;
> }
> combo->password.str= passwd_buff;
> === modified file 'sql/sql_parse.cc'
> --- a/sql/sql_parse.cc 2009-04-09 11:30:44 +0000
> +++ b/sql/sql_parse.cc 2009-05-28 14:31:41 +0000
> @@ -3883,7 +3883,9 @@ end_with_restore_list:
> res= mysql_routine_grant(thd, all_tables,
> lex->type == TYPE_ENUM_PROCEDURE,
> lex->users_list, grants,
> - lex->sql_command == SQLCOM_REVOKE, 0);
> + lex->sql_command == SQLCOM_REVOKE, TRUE);
> + if (!res)
> + my_ok(thd);
> }
This is very good. Thank you very much for that change.
Long term we need to change all the other places to not call
my_ok() from functions that perform the actual SQL command.
That will allow us to reuse these functions more easily.
my_ok() can be invoked from mysql_execute_command() or from a
helper wrapper, and in future by SQL command virtual class
that inherits from an interface that follows Template
method pattern.
--
