From 68910e7092a3741fff56632b84f5eb340ef99245 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Sun, 24 Jan 2016 20:43:19 +0100 Subject: [PATCH] MDEV-9273 ERROR 1819 on grant statment for existing user Cannot do password validation in fix_lex_user(), we don't know there what "GRANT ... TO user" means - creating a new user with an empty password (need validation) or granting privileges to an existing user (no validation needed). Move validation down into replace_user_table(). And copy into check_change_password(). --- .../suite/plugins/r/simple_password_check.result | 3 ++- mysql-test/suite/plugins/t/simple_password_check.test | 3 ++- sql/sql_acl.cc | 10 ++++++---- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/mysql-test/suite/plugins/r/simple_password_check.result b/mysql-test/suite/plugins/r/simple_password_check.result index c74471a651a..c74b4e99992 100644 --- a/mysql-test/suite/plugins/r/simple_password_check.result +++ b/mysql-test/suite/plugins/r/simple_password_check.result @@ -79,6 +79,7 @@ ERROR HY000: Your password does not satisfy the current policy requirements grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; drop user `BarFoo1!`; create user foo1 identified by 'aA.12345'; +grant select on *.* to foo1; drop user foo1; set global simple_password_check_digits=3; set global simple_password_check_letters_same_case=3; @@ -129,7 +130,7 @@ ERROR HY000: The MariaDB server is running with the --strict-password-validation create user foo2 identified with mysql_native_password using ''; ERROR HY000: Your password does not satisfy the current policy requirements grant select on *.* to foo2 identified with mysql_old_password; -ERROR HY000: Your password does not satisfy the current policy requirements +ERROR 28000: Can't find any matching row in the user table update mysql.user set password='xxx' where user='foo1'; set global strict_password_validation=0; set password for foo1 = ''; diff --git a/mysql-test/suite/plugins/t/simple_password_check.test b/mysql-test/suite/plugins/t/simple_password_check.test index c31e31154e3..9854f93efe8 100644 --- a/mysql-test/suite/plugins/t/simple_password_check.test +++ b/mysql-test/suite/plugins/t/simple_password_check.test @@ -26,6 +26,7 @@ grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; drop user `BarFoo1!`; create user foo1 identified by 'aA.12345'; +grant select on *.* to foo1; drop user foo1; set global simple_password_check_digits=3; @@ -78,7 +79,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111 grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; --error ER_NOT_VALID_PASSWORD create user foo2 identified with mysql_native_password using ''; ---error ER_NOT_VALID_PASSWORD +--error ER_PASSWORD_NO_MATCH grant select on *.* to foo2 identified with mysql_old_password; # direct updates are not protected diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index ca1763209b9..c6793241f70 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -1050,9 +1050,6 @@ static bool fix_lex_user(THD *thd, LEX_USER *user) return true; } - if (validate_password(user)) - return true; - if (user->pwtext.length && !user->pwhash.length) { size_t scramble_length; @@ -2747,7 +2744,8 @@ bool check_change_password(THD *thd, LEX_USER *user) { LEX_USER *real_user= get_current_user(thd, user); - if (fix_and_copy_user(real_user, user, thd)) + if (fix_and_copy_user(real_user, user, thd) || + validate_password(real_user)) return true; *user= *real_user; @@ -3461,6 +3459,10 @@ static int replace_user_table(THD *thd, TABLE *table, LEX_USER &combo, store_record(table,record[1]); // Save copy for update } + if (!old_row_exists || combo.pwtext.length || combo.pwhash.length) + if (validate_password(&combo)) + goto end; + /* Update table columns with new privileges */ Field **tmp_field;