diff options
| author | kroki/tomash@moonlight.intranet <> | 2006-07-13 17:12:31 +0400 |
|---|---|---|
| committer | kroki/tomash@moonlight.intranet <> | 2006-07-13 17:12:31 +0400 |
| commit | 4272d1efc3a7a106b50f47939d823ee256002f9d (patch) | |
| tree | 1de91a48fd485ddebde7c556a0e2ccd7d70ed581 /sql/sp_head.h | |
| parent | 96bddcafe7072a9a709122b438499f765652a600 (diff) | |
| download | mariadb-git-4272d1efc3a7a106b50f47939d823ee256002f9d.tar.gz | |
Bug#18630: Arguments of suid routine calculated in wrong security
context.
Routine arguments were evaluated in the security context of the routine
itself, not in the caller's context.
The bug is fixed the following way:
- Item_func_sp::find_and_check_access() has been split into two
functions: Item_func_sp::find_and_check_access() itself only
finds the function and check that the caller have EXECUTE privilege
on it. New function set_routine_security_ctx() changes security
context for SUID routines and checks that definer have EXECUTE
privilege too.
- new function sp_head::execute_trigger() is called from
Table_triggers_list::process_triggers() instead of
sp_head::execute_function(), and is effectively just as the
sp_head::execute_function() is, with all non-trigger related code
removed, and added trigger-specific security context switch.
- call to Item_func_sp::find_and_check_access() stays outside
of sp_head::execute_function(), and there is a code in
sql_parse.cc before the call to sp_head::execute_procedure() that
checks that the caller have EXECUTE privilege, but both
sp_head::execute_function() and sp_head::execute_procedure() call
set_routine_security_ctx() after evaluating their parameters,
and restore the context after the body is executed.
Diffstat (limited to 'sql/sp_head.h')
| -rw-r--r-- | sql/sp_head.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sql/sp_head.h b/sql/sp_head.h index 073cca2cd12..36747716bdc 100644 --- a/sql/sp_head.h +++ b/sql/sp_head.h @@ -207,6 +207,10 @@ public: destroy(); bool + execute_trigger(THD *thd, const char *db, const char *table, + GRANT_INFO *grant_onfo); + + bool execute_function(THD *thd, Item **args, uint argcount, Field *return_fld); bool @@ -1149,6 +1153,10 @@ sp_change_security_context(THD *thd, sp_head *sp, Security_context **backup); void sp_restore_security_context(THD *thd, Security_context *backup); + +bool +set_routine_security_ctx(THD *thd, sp_head *sp, bool is_proc, + Security_context **save_ctx); #endif /* NO_EMBEDDED_ACCESS_CHECKS */ TABLE_LIST * |