database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

MDEV-32500 Information schema leaks table names and structure to unauthorized users

Browse Source 
standard table KEY_COLUMN_USAGE should only show keys where
a user has some privileges on every column of the key

standard table TABLE_CONSTRAINTS should show tables where
a user has any non-SELECT privilege on the table or on any column
of the table

standard table REFERENTIAL_CONSTRAINTS is defined in terms of
TABLE_CONSTRAINTS, so the same rule applies. If the user
has no rights to see the REFERENCED_TABLE_NAME value, it should be NULL

SHOW INDEX (and STATISTICS table) is non-standard, but it seems
reasonable to use the same logic as for KEY_COLUMN_USAGE.
This commit is contained in:
Sergei Golubchik
2023-10-19 17:02:37 +02:00
parent 2eee0e9b89
commit 547dfc0e01
10 changed files with 229 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
sql/sql_parse.cc
View File

@ -7011,6 +7011,7 @@ static bool check_show_access(THD *thd, TABLE_LIST *table)
FALSE, FALSE))
return TRUE; /* Access denied */
thd->col_access= dst_table->grant.privilege; // for sql_show.cc
/*
Check_grant will grant access if there is any column privileges on
all of the tables thanks to the fourth parameter (bool show_table).