From: Alexander Nozdrin
Date: September 22 2007 12:34pm
Subject: Re: bk commit into 5.0 tree (evgen:1.2526) BUG#29908
List-Archive: http://lists.mysql.com/commits/34487
Message-Id: <200709221634.31056.alik@mysql.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi,

Ok to push.

However, one more request:

Could you please highlight in the CS comment, that the patch introduces
backward incompatible changes.

Thank you!

On Thursday 20 September 2007 18:05, eugene@stripped wrote:
> Below is the list of changes that have just been committed into a local
> 5.0 repository of evgen. When evgen does a push these changes will
> be propagated to the main repository and, within 24 hours after the
> push, to the public repository.
> For information on how to access the public repository
> see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
> 
> ChangeSet@stripped, 2007-09-20 18:05:09+04:00, evgen@stripped +3 -0
>   Bug#29908: A user can gain additional access through the ALTER VIEW.
>   
>   Non-definer of a view was allowed to alter that view. Due to this the alterer
>   can elevate his access rights to access rights of the view definer and thus
>   modify data which he wasn't allowed to modify. A view defined with
>   SQL SECURITY INVOKER can't be used directly for access rights elevation.
>   But a user can first alter the view SQL code and then alter the view to 
>   SQL SECURITY DEFINER and thus elevate his access rights. Due to this
>   altering a view with SQL SECURITY INVOKER is also prohibited.
>   
>   Now the mysql_create_view function allows ALTER VIEW only to the view
>   definer or a super user. 
-- 
Alexander Nozdrin, Software Developer
MySQL AB, Moscow, Russia, www.mysql.com