PR #1127 and PR #1150bb-10.2-anel-fix-grants-check-constraint

PR#1127: Fix is_check_constraints.result to be compatibile with 10.3

The patch is done according to the original patch for MDEV-14474
1edd09c325525cba33152 and not one which is merged on server
d526679efd108478cc2af07578.
This patch includes:
- Rename from `is_check_constraint` to `is_check_constraints` to tests
and results
- Per review, change the order of fields in IS check_constraints table by adding
the column `table_name` before `constraint_name`. According to the standard
2006 there is no `table_name` column.
- Original patch and one in `10.3` supports embedded server this patch doesn't
support. After the merge `10.3` will not support also.
- Don't use patch c8b8b01b61 to change the length of `CHECK_CLAUSE` field

PR#1150: MDEV-18440: Information_schema.check_constraints possible data leak

This patch is extension of PR 1127 and includes:
- Check for table grants
- Additional test according to the MDEV specification

3 files changed, 84 insertions, 14 deletions

diff --git a/mysql-test/suite/funcs_1/r/is_check_constraint.result b/mysql-test/suite/funcs_1/r/is_check_constraints.result
index e36db395eb9..4d7c7b446e6 100644
--- a/mysql-test/suite/funcs_1/r/is_check_constraint.result
+++ b/mysql-test/suite/funcs_1/r/is_check_constraints.result
@@ -119,3 +119,29 @@ disconnect con1;
 connection default;
 DROP USER boo1;
 DROP USER boo2;
+#
+# MDEV-18440: Information_schema.check_constraints possible data leak
+#
+CREATE USER foo;
+CREATE DATABASE db;
+USE db;
+CREATE TABLE t1 (a int, b int, CONSTRAINT CHECK (b > 0));
+INSERT INTO t1 VALUES (1, 2), (2, 3);
+GRANT SELECT (a) ON t1 TO foo;
+SHOW GRANTS FOR foo;
+Grants for foo@%
+GRANT USAGE ON *.* TO 'foo'@'%'
+GRANT SELECT (a) ON `db`.`t1` TO 'foo'@'%'
+SELECT * FROM information_schema.check_constraints;
+CONSTRAINT_CATALOG	CONSTRAINT_SCHEMA	TABLE_NAME	CONSTRAINT_NAME	CHECK_CLAUSE
+def	db	t1	CONSTRAINT_1	`b` > 0
+CONNECT con1,localhost, foo,, db;
+SELECT a FROM t1;
+a
+1
+2
+SELECT * FROM information_schema.check_constraints;
+CONSTRAINT_CATALOG	CONSTRAINT_SCHEMA	TABLE_NAME	CONSTRAINT_NAME	CHECK_CLAUSE
+connection default;
+DROP USER foo;
+DROP DATABASE db;
diff --git a/mysql-test/suite/funcs_1/t/is_check_constraint.test b/mysql-test/suite/funcs_1/t/is_check_constraints.test
index 30a72d02b34..eadfd817832 100644
--- a/mysql-test/suite/funcs_1/t/is_check_constraint.test
+++ b/mysql-test/suite/funcs_1/t/is_check_constraints.test
@@ -40,7 +40,7 @@ CREATE TABLE t1
  CONSTRAINT CHECK (tt > 32), CONSTRAINT CHECK (tt <50),# autogenerated names table constraints
  CONSTRAINT CHK_tt CHECK(tt<100) # named table constraint
 ) ENGINE=InnoDB;
- --sorted_result
+--sorted_result
 SELECT * from information_schema.check_constraints;
 
 ALTER TABLE t1
@@ -55,7 +55,7 @@ start_date DATE,
 end_date DATE,
 CONSTRAINT CHK_dates CHECK(start_date IS NULL) #table constraint
 )ENGINE=Innodb;
- --sorted_result
+--sorted_result
 SELECT * from information_schema.check_constraints;
 
 ALTER TABLE t1
@@ -70,12 +70,12 @@ a int,
 b int check (b>0), # field constraint named 'b'
 CONSTRAINT b check (b>10) # table constraint
 ) ENGINE=InnoDB;
- --sorted_result
+--sorted_result
 SELECT * from information_schema.check_constraints;
 
 DISCONNECT con1;
 CONNECT(con2, localhost, boo2,, test);
- --sorted_result
+--sorted_result
 SELECT * from information_schema.check_constraints;
 
 DISCONNECT con2;
@@ -90,3 +90,28 @@ DISCONNECT con1;
 --CONNECTION default
 DROP USER boo1;
 DROP USER boo2;
+
+--echo #
+--echo # MDEV-18440: Information_schema.check_constraints possible data leak
+--echo #
+
+CREATE USER foo;
+CREATE DATABASE db;
+USE db;
+CREATE TABLE t1 (a int, b int, CONSTRAINT CHECK (b > 0));
+INSERT INTO t1 VALUES (1, 2), (2, 3);
+GRANT SELECT (a) ON t1 TO foo;
+
+SHOW GRANTS FOR foo;
+--sorted_result
+SELECT * FROM information_schema.check_constraints;
+
+CONNECT(con1,localhost, foo,, db);
+SELECT a FROM t1;
+--sorted_result
+SELECT * FROM information_schema.check_constraints;
+
+--CONNECTION default
+
+DROP USER foo;
+DROP DATABASE db;
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index f54a9af5441..14db4a4545c 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -6526,7 +6526,7 @@ static int get_check_constraints_record(THD *thd, TABLE_LIST *tables,
                                         LEX_STRING *table_name)
 {
   DBUG_ENTER("get_check_constraints_record");
-  if(res)
+  if (res)
   {
     if (thd->is_error())
       push_warning(thd, Sql_condition::WARN_LEVEL_WARN,
@@ -6535,15 +6535,33 @@ static int get_check_constraints_record(THD *thd, TABLE_LIST *tables,
     thd->clear_error();
     DBUG_RETURN(0);
   }
-  if(!tables->view)
+  if (!tables->view)
   {
     StringBuffer<MAX_FIELD_WIDTH> str(system_charset_info);
+     #ifndef NO_EMBEDDED_ACCESS_CHECKS
+      TABLE_LIST table_acl_check;
+      bzero((char*) &table_acl_check, sizeof(table_acl_check));
+    #endif
     for (uint i= 0; i < tables->table->s->table_check_constraints; i++)
     {
+      #ifndef NO_EMBEDDED_ACCESS_CHECKS
+        if (!(thd->col_access & TABLE_ACLS))
+        {
+          table_acl_check.db= db_name->str;
+          table_acl_check.db_length= db_name->length;
+          table_acl_check.table_name= table_name->str;
+          table_acl_check.table_name_length= table_name->length;
+          table_acl_check.grant.privilege= thd->col_access;
+          // Check table grant and don't raise any error
+          if (check_grant(thd, TABLE_ACLS, &table_acl_check, FALSE, 1, TRUE))
+            continue;
+        }
+      #endif
       Virtual_column_info *check= tables->table->check_constraints[i];
       table->field[0]->store(STRING_WITH_LEN("def"), system_charset_info);
       table->field[3]->store(check->name.str, check->name.length,
                              system_charset_info);
+      // Clear the string
       str.length(0);
       check->print(&str);
       table->field[4]->store(str.ptr(), str.length(), system_charset_info);
@@ -6551,8 +6569,7 @@ static int get_check_constraints_record(THD *thd, TABLE_LIST *tables,
         DBUG_RETURN(1);
     }
   }
-
-  DBUG_RETURN(0);
+  DBUG_RETURN(res);
 }
 
 static int get_schema_constraints_record(THD *thd, TABLE_LIST *tables,
@@ -9370,13 +9387,15 @@ ST_FIELD_INFO spatial_ref_sys_fields_info[]=
 ST_FIELD_INFO check_constraints_fields_info[]=
 {
   {"CONSTRAINT_CATALOG", FN_REFLEN, MYSQL_TYPE_STRING, 0, 0, 0, OPEN_FULL_TABLE},
-  {"CONSTRAINT_SCHEMA", NAME_CHAR_LEN, MYSQL_TYPE_STRING, 0, 0, 0, OPEN_FULL_TABLE},
+  {"CONSTRAINT_SCHEMA", NAME_CHAR_LEN, MYSQL_TYPE_STRING, 0, 0, 0,
+   OPEN_FULL_TABLE},
   {"TABLE_NAME", NAME_CHAR_LEN, MYSQL_TYPE_STRING, 0, 0, 0, OPEN_FULL_TABLE},
-  {"CONSTRAINT_NAME", NAME_CHAR_LEN, MYSQL_TYPE_STRING, 0, 0, 0, OPEN_FULL_TABLE},
-  {"CHECK_CLAUSE", NAME_CHAR_LEN, MYSQL_TYPE_STRING, 0, 0, 0, OPEN_FULL_TABLE},
-  {0, 0, MYSQL_TYPE_STRING, 0, 0, 0, SKIP_OPEN_TABLE }
+  {"CONSTRAINT_NAME", NAME_CHAR_LEN, MYSQL_TYPE_STRING, 0, 0, 0,
+   OPEN_FULL_TABLE},
+  {"CHECK_CLAUSE", NAME_CHAR_LEN, MYSQL_TYPE_STRING, 0, 0, 0,
+   OPEN_FULL_TABLE},
+  {0, 0, MYSQL_TYPE_STRING, 0, 0, 0, SKIP_OPEN_TABLE}
 };
-
 /*
   Description of ST_FIELD_INFO in table.h
 
@@ -9393,7 +9412,7 @@ ST_SCHEMA_TABLE schema_tables[]=
   {"CHARACTER_SETS", charsets_fields_info, 0,
    fill_schema_charsets, make_character_sets_old_format, 0, -1, -1, 0, 0},
   {"CHECK_CONSTRAINTS", check_constraints_fields_info, 0, get_all_tables, 0,
-  get_check_constraints_record, 1, 2, 0, OPTIMIZE_I_S_TABLE|OPEN_TABLE_ONLY},
+   get_check_constraints_record, 1, 2, 0, OPTIMIZE_I_S_TABLE|OPEN_TABLE_ONLY},
   {"COLLATIONS", collation_fields_info, 0,
    fill_schema_collation, make_old_format, 0, -1, -1, 0, 0},
   {"COLLATION_CHARACTER_SET_APPLICABILITY", coll_charset_app_fields_info,