database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-01 03:47:19 +03:00
Code Activity

MDEV-32500 Information schema leaks table names and structure to unauthorized users

Browse Source 
standard table KEY_COLUMN_USAGE should only show keys where
a user has some privileges on every column of the key

standard table TABLE_CONSTRAINTS should show tables where
a user has any non-SELECT privilege on the table or on any column
of the table

standard table REFERENTIAL_CONSTRAINTS is defined in terms of
TABLE_CONSTRAINTS, so the same rule applies. If the user
has no rights to see the REFERENCED_TABLE_NAME value, it should be NULL

SHOW INDEX (and STATISTICS table) is non-standard, but it seems
reasonable to use the same logic as for KEY_COLUMN_USAGE.
This commit is contained in:
Sergei Golubchik
2023-10-19 17:02:37 +02:00
parent 2eee0e9b89
commit 547dfc0e01
10 changed files with 229 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
mysql-test/suite/funcs_1/r/is_table_constraints.result
View File

@ -104,11 +104,11 @@ CREATE TABLE db_datadict.t2 (f1 BIGINT, f2 BIGINT, f3 BIGINT, f4 BIGINT,
f5 BIGINT, f6 BIGINT, PRIMARY KEY (f1,f2))
ENGINE = <some_engine_type>;
CREATE USER 'testuser1'@'localhost';
GRANT SELECT(f5) ON db_datadict.t1 TO 'testuser1'@'localhost';
GRANT SELECT(f5), UPDATE(f6) ON db_datadict.t1 TO 'testuser1'@'localhost';
SHOW GRANTS FOR 'testuser1'@'localhost';
Grants for testuser1@localhost
GRANT USAGE ON *.* TO `testuser1`@`localhost`
GRANT SELECT (`f5`) ON `db_datadict`.`t1` TO `testuser1`@`localhost`
GRANT SELECT (`f5`), UPDATE (`f6`) ON `db_datadict`.`t1` TO `testuser1`@`localhost`
SELECT * FROM information_schema.table_constraints
WHERE table_schema = 'db_datadict'
ORDER BY table_schema,table_name, constraint_name;
@ -132,7 +132,7 @@ connect testuser1, localhost, testuser1, , db_datadict;
SHOW GRANTS FOR 'testuser1'@'localhost';
Grants for testuser1@localhost
GRANT USAGE ON *.* TO `testuser1`@`localhost`
GRANT SELECT (`f5`) ON `db_datadict`.`t1` TO `testuser1`@`localhost`
GRANT SELECT (`f5`), UPDATE (`f6`) ON `db_datadict`.`t1` TO `testuser1`@`localhost`
SELECT * FROM information_schema.table_constraints
WHERE table_schema = 'db_datadict'
ORDER BY table_schema,table_name, constraint_name;
@ -142,11 +142,6 @@ def db_datadict my_idx2 db_datadict t1 UNIQUE
def db_datadict PRIMARY db_datadict t1 PRIMARY KEY
SHOW INDEXES FROM db_datadict.t1;
Table Non_unique Key_name Seq_in_index Column_name Collation Cardinality Sub_part Packed Null Index_type Comment Index_comment
t1 0 PRIMARY 1 f1 ### ### ### ### ### ### ###
t1 0 PRIMARY 2 f2 ### ### ### ### ### ### ###
t1 0 my_idx1 1 f6 ### ### ### ### ### ### ###
t1 0 my_idx1 2 f1 ### ### ### ### ### ### ###
t1 0 my_idx2 1 f3 ### ### ### ### ### ### ###
SHOW INDEXES FROM db_datadict.t2;
ERROR 42000: SELECT command denied to user 'testuser1'@'localhost' for table `db_datadict`.`t2`
connection default;