#At file:///home/kgeorge/mysql/work/B50276-5.1-bugteam/ based on revid:joro@stripped
3351 Georgi Kodinov 2010-01-21
Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
check_access() returning false for a database does not
guarantee that the access is granted to it.
This wrong condition in filling the INFORMATION_SCHEMA
tables causes extra tables to be returned to the user
even if he has no rights to see them.
Fixed by correcting the condition.
modified:
mysql-test/r/information_schema.result
mysql-test/t/information_schema.test
sql/sql_show.cc
=== modified file 'mysql-test/r/information_schema.result'
--- a/mysql-test/r/information_schema.result 2009-05-15 12:57:51 +0000
+++ b/mysql-test/r/information_schema.result 2010-01-21 15:14:10 +0000
@@ -1725,4 +1725,26 @@ SELECT 'OK' AS TEST_RESULT FROM INFORMAT
TEST_RESULT
OK
SET TIMESTAMP=DEFAULT;
+#
+# Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
+#
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1 (id INT);
+CREATE USER nonpriv;
+USE test;
+# connected as nonpriv
+# Should return 0
+SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1';
+COUNT(*)
+0
+USE INFORMATION_SCHEMA;
+# Should return 0
+SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1';
+COUNT(*)
+0
+# connected as root
+DROP USER nonpriv;
+DROP TABLE db1.t1;
+DROP DATABASE db1;
End of 5.1 tests.
=== modified file 'mysql-test/t/information_schema.test'
--- a/mysql-test/t/information_schema.test 2009-05-15 12:57:51 +0000
+++ b/mysql-test/t/information_schema.test 2010-01-21 15:14:10 +0000
@@ -1419,6 +1419,33 @@ SET TIMESTAMP=@@TIMESTAMP + 10000000;
SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0;
SET TIMESTAMP=DEFAULT;
+
+--echo #
+--echo # Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
+--echo #
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1 (id INT);
+CREATE USER nonpriv;
+USE test;
+
+connect (nonpriv_con, localhost, nonpriv,,);
+connection nonpriv_con;
+--echo # connected as nonpriv
+--echo # Should return 0
+SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1';
+USE INFORMATION_SCHEMA;
+--echo # Should return 0
+SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1';
+
+connection default;
+--echo # connected as root
+disconnect nonpriv_con;
+DROP USER nonpriv;
+DROP TABLE db1.t1;
+DROP DATABASE db1;
+
+
--echo End of 5.1 tests.
# Wait till all disconnects are completed
=== modified file 'sql/sql_show.cc'
--- a/sql/sql_show.cc 2010-01-22 10:58:21 +0000
+++ b/sql/sql_show.cc 2010-01-21 15:14:10 +0000
@@ -3367,11 +3367,11 @@ int get_all_tables(THD *thd, TABLE_LIST
while ((db_name= it++))
{
#ifndef NO_EMBEDDED_ACCESS_CHECKS
- if (!check_access(thd,SELECT_ACL, db_name->str,
- &thd->col_access, 0, 1, with_i_schema) ||
+ if (!(check_access(thd,SELECT_ACL, db_name->str,
+ &thd->col_access, 0, 1, with_i_schema) ||
+ (!thd->col_access && check_grant_db(thd, db_name->str))) ||
sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
- acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) ||
- !check_grant_db(thd, db_name->str))
+ acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0))
#endif
{
thd->no_warnings_for_error= 1;
Attachment: [text/bzr-bundle] bzr/joro@sun.com-20100121151410-lc5d91r4pszil23j.bundle
| Thread |
|---|
| • bzr commit into mysql-5.1-bugteam branch (joro:3351) Bug#50276 | Georgi Kodinov | 2 Feb |
