diff options
| author | Georgi Kodinov <kgeorge@mysql.com> | 2009-02-26 19:00:44 +0200 |
|---|---|---|
| committer | Georgi Kodinov <kgeorge@mysql.com> | 2009-02-26 19:00:44 +0200 |
| commit | a9d707037ab527564bb84885e0af69a2bb793219 (patch) | |
| tree | 732fdcce66b92b9258bafe5549407a06c5fd2274 /sql/sql_acl.cc | |
| parent | debb95ca22270797a9f5a9f488bdf8dc93b41a9e (diff) | |
| download | mariadb-git-a9d707037ab527564bb84885e0af69a2bb793219.tar.gz | |
Bug #41354: Access control is bypassed when all columns
of a view are selected by * wildcard
Backported a part of the fix for 36086 to 5.0
mysql-test/r/view_grant.result:
Bug #41354: test case
mysql-test/t/view_grant.test:
Bug #41354: test case
sql/sql_acl.cc:
Bug #41354: return table error when no access and *
sql/sql_base.cc:
Bug #41354: backported the check in bug 36086 to 5.0
Diffstat (limited to 'sql/sql_acl.cc')
| -rw-r--r-- | sql/sql_acl.cc | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 22135d376fe..c59c42d512a 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -3866,6 +3866,11 @@ bool check_grant_all_columns(THD *thd, ulong want_access_arg, Security_context *sctx= thd->security_ctx; ulong want_access= want_access_arg; const char *table_name= NULL; + /* + Flag that gets set if privilege checking has to be performed on column + level. + */ + bool using_column_privileges= FALSE; if (grant_option) { @@ -3909,6 +3914,8 @@ bool check_grant_all_columns(THD *thd, ulong want_access_arg, GRANT_COLUMN *grant_column= column_hash_search(grant_table, field_name, (uint) strlen(field_name)); + if (grant_column) + using_column_privileges= TRUE; if (!grant_column || (~grant_column->rights & want_access)) goto err; } @@ -3924,12 +3931,21 @@ err: char command[128]; get_privilege_desc(command, sizeof(command), want_access); - my_error(ER_COLUMNACCESS_DENIED_ERROR, MYF(0), - command, - sctx->priv_user, - sctx->host_or_ip, - fields->name(), - table_name); + /* + Do not give an error message listing a column name unless the user has + privilege to see all columns. + */ + if (using_column_privileges) + my_error(ER_TABLEACCESS_DENIED_ERROR, MYF(0), + command, sctx->priv_user, + sctx->host_or_ip, table_name); + else + my_error(ER_COLUMNACCESS_DENIED_ERROR, MYF(0), + command, + sctx->priv_user, + sctx->host_or_ip, + fields->name(), + table_name); return 1; } |