database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES

Browse Source 
check_access() returning false for a database does not
guarantee that the access is granted to it.
This wrong condition in filling the INFORMATION_SCHEMA
tables causes extra tables to be returned to the user
even if he has no rights to see them.
Fixed by correcting the condition.
This commit is contained in:
Georgi Kodinov
2010-01-21 17:14:10 +02:00
parent e4b7138561
commit 679de2bb5e
3 changed files with 53 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
mysql-test/r/information_schema.result
View File

@ -1725,4 +1725,26 @@ SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0;
TEST_RESULT TEST_RESULT
OK OK
SET TIMESTAMP=DEFAULT; SET TIMESTAMP=DEFAULT;
#
# Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
#
CREATE DATABASE db1;
USE db1;
CREATE TABLE t1 (id INT);
CREATE USER nonpriv;
USE test;
# connected as nonpriv
# Should return 0
SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1';
COUNT(*)
0
USE INFORMATION_SCHEMA;
# Should return 0
SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1';
COUNT(*)
0
# connected as root
DROP USER nonpriv;
DROP TABLE db1.t1;
DROP DATABASE db1;
End of 5.1 tests. End of 5.1 tests.

27
mysql-test/t/information_schema.test
View File

@ -1419,6 +1419,33 @@ SET TIMESTAMP=@@TIMESTAMP + 10000000;
SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0; SELECT 'OK' AS TEST_RESULT FROM INFORMATION_SCHEMA.PROCESSLIST WHERE time < 0;
SET TIMESTAMP=DEFAULT; SET TIMESTAMP=DEFAULT;
--echo #
--echo # Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
--echo #
CREATE DATABASE db1;
USE db1;
CREATE TABLE t1 (id INT);
CREATE USER nonpriv;
USE test;
connect (nonpriv_con, localhost, nonpriv,,);
connection nonpriv_con;
--echo # connected as nonpriv
--echo # Should return 0
SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='t1';
USE INFORMATION_SCHEMA;
--echo # Should return 0
SELECT COUNT(*) FROM TABLES WHERE TABLE_NAME='t1';
connection default;
--echo # connected as root
disconnect nonpriv_con;
DROP USER nonpriv;
DROP TABLE db1.t1;
DROP DATABASE db1;
--echo End of 5.1 tests. --echo End of 5.1 tests.
# Wait till all disconnects are completed # Wait till all disconnects are completed

8
sql/sql_show.cc
View File

@ -3367,11 +3367,11 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond)
while ((db_name= it++)) while ((db_name= it++))
{ {
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
if (!check_access(thd,SELECT_ACL, db_name->str, if (!(check_access(thd,SELECT_ACL, db_name->str,
&thd->col_access, 0, 1, with_i_schema) || &thd->col_access, 0, 1, with_i_schema) ||
(!thd->col_access && check_grant_db(thd, db_name->str))) ||
sctx->master_access & (DB_ACLS | SHOW_DB_ACL) || sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) || acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0))
!check_grant_db(thd, db_name->str))
#endif #endif
{ {
thd->no_warnings_for_error= 1; thd->no_warnings_for_error= 1;