now GRANT db.* ... compares patterns correctly to prevent privilege escalation

7 files changed, 20 insertions, 21 deletions

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 1bdca7167e8..5034aaf9bd6 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -877,7 +877,7 @@ static void acl_insert_db(const char *user, const char *host, const char *db,
 *****************************************************************************/
 
 ulong acl_get(const char *host, const char *ip, const char *bin_ip,
-	     const char *user, const char *db)
+	     const char *user, const char *db, my_bool db_is_pattern)
 {
   ulong host_access,db_access;
   uint i,key_length;
@@ -911,7 +911,7 @@ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
     {
       if (compare_hostname(&acl_db->host,host,ip))
       {
-	if (!acl_db->db || !wild_compare(db,acl_db->db))
+	if (!acl_db->db || !wild_compare(db,acl_db->db,db_is_pattern))
 	{
 	  db_access=acl_db->access;
 	  if (acl_db->host.hostname)
@@ -933,7 +933,7 @@ ulong acl_get(const char *host, const char *ip, const char *bin_ip,
     ACL_HOST *acl_host=dynamic_element(&acl_hosts,i,ACL_HOST*);
     if (compare_hostname(&acl_host->host,host,ip))
     {
-      if (!acl_host->db || !wild_compare(db,acl_host->db))
+      if (!acl_host->db || !wild_compare(db,acl_host->db,db_is_pattern))
       {
 	host_access=acl_host->access;		// Fully specified. Take it
 	break;
@@ -1271,7 +1271,7 @@ static bool compare_hostname(const acl_host_and_ip *host, const char *hostname,
   return (!host->hostname ||
 	  (hostname && !wild_case_compare(&my_charset_latin1,
                                           hostname,host->hostname)) ||
-	  (ip && !wild_compare(ip,host->hostname)));
+	  (ip && !wild_compare(ip,host->hostname,0)));
 }
 
 
@@ -1331,7 +1331,7 @@ static bool test_if_create_new_users(THD *thd)
     tl.db=	   (char*) "mysql";
     tl.real_name=  (char*) "user";
     db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-		      thd->priv_user, tl.db);
+		      thd->priv_user, tl.db, 0);
     if (!(db_access & INSERT_ACL))
     {
       if (check_grant(thd,INSERT_ACL,&tl,0,1))
diff --git a/sql/sql_acl.h b/sql/sql_acl.h
index e6c6771253c..ca976f43999 100644
--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -134,7 +134,7 @@ my_bool  acl_init(THD *thd, bool dont_read_acl_tables);
 void acl_reload(THD *thd);
 void acl_free(bool end=0);
 ulong acl_get(const char *host, const char *ip, const char *bin_ip,
-	      const char *user, const char *db);
+	      const char *user, const char *db, my_bool db_is_pattern);
 ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
 		  const char *password,const char *scramble,
                   char **priv_user, char *priv_host,
diff --git a/sql/sql_base.cc b/sql/sql_base.cc
index 641ab46e5e0..43368fe5433 100644
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -148,7 +148,7 @@ OPEN_TABLE_LIST *list_open_tables(THD *thd, const char *wild)
     if (wild)
     {
       strxmov(name,entry->table_cache_key,".",entry->real_name,NullS);
-      if (wild_compare(name,wild))
+      if (wild_compare(name,wild,0))
 	continue;
     }
 
diff --git a/sql/sql_db.cc b/sql/sql_db.cc
index f8cf1eee0c5..844fd05aefa 100644
--- a/sql/sql_db.cc
+++ b/sql/sql_db.cc
@@ -591,7 +591,7 @@ bool mysql_change_db(THD *thd, const char *name)
     db_access=DB_ACLS;
   else
     db_access= (acl_get(thd->host,thd->ip,(char*) &thd->remote.sin_addr,
-			thd->priv_user,dbname) |
+			thd->priv_user,dbname,0) |
 		thd->master_access);
   if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname)))
   {
@@ -625,8 +625,8 @@ bool mysql_change_db(THD *thd, const char *name)
 
   strmov(path+unpack_dirname(path,path), MY_DB_OPT_FILE);
   load_db_opt(thd, path, &create);
-  thd->db_charset= create.table_charset ? 
-		   create.table_charset : 
+  thd->db_charset= create.table_charset ?
+		   create.table_charset :
 		   global_system_variables.character_set_database;
   thd->variables.character_set_database= thd->db_charset;
   DBUG_RETURN(0);
@@ -644,18 +644,18 @@ int mysqld_show_create_db(THD *thd, char *dbname,
   uint create_options = create_info ? create_info->options : 0;
   Protocol *protocol=thd->protocol;
   DBUG_ENTER("mysql_show_create_db");
-  
+
   if (check_db_name(dbname))
   {
     net_printf(thd,ER_WRONG_DB_NAME, dbname);
     DBUG_RETURN(1);
   }
-  
+
   if (test_all_bits(thd->master_access,DB_ACLS))
     db_access=DB_ACLS;
   else
     db_access= (acl_get(thd->host,thd->ip,(char*) &thd->remote.sin_addr,
-			thd->priv_user,dbname) |
+			thd->priv_user,dbname,0) |
 		thd->master_access);
   if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname)))
   {
@@ -669,7 +669,7 @@ int mysqld_show_create_db(THD *thd, char *dbname,
 		    dbname);
     DBUG_RETURN(1);
   }
-  
+
   (void) sprintf(path,"%s/%s",mysql_data_home, dbname);
   length=unpack_dirname(path,path);		// Convert if not unix
   found_libchar= 0;
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 9e670a97e92..820bf3d73cc 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3254,7 +3254,7 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
     if (!(thd->master_access & SELECT_ACL) &&
 	(db && (!thd->db || strcmp(db,thd->db))))
       db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-			thd->priv_user, db); /* purecov: inspected */
+			thd->priv_user, db, test(want_access & GRANT_ACL));
     *save_priv=thd->master_access | db_access;
     DBUG_RETURN(FALSE);
   }
@@ -3274,7 +3274,7 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
 
   if (db && (!thd->db || strcmp(db,thd->db)))
     db_access=acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-		      thd->priv_user, db); /* purecov: inspected */
+		      thd->priv_user, db, test(want_access & GRANT_ACL));
   else
     db_access=thd->db_access;
   // Remove SHOW attribute and access rights we already have
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index e8cb59e387e..9084269f486 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -75,7 +75,7 @@ mysqld_show_dbs(THD *thd,const char *wild)
   {
     if (thd->master_access & (DB_ACLS | SHOW_DB_ACL) ||
 	acl_get(thd->host, thd->ip, (char*) &thd->remote.sin_addr,
-		thd->priv_user, file_name) ||
+		thd->priv_user, file_name,0) ||
 	(grant_option && !check_grant_db(thd, file_name)))
     {
       protocol->prepare_for_resend();
@@ -415,7 +415,7 @@ mysql_find_files(THD *thd,List<char> *files, const char *db,const char *path,
 #endif
       {
         if (file->name[0] == '.' || !MY_S_ISDIR(file->mystat.st_mode) ||
-            (wild && wild_compare(file->name,wild)))
+            (wild && wild_compare(file->name,wild,0)))
           continue;
       }
     }
@@ -433,7 +433,7 @@ mysql_find_files(THD *thd,List<char> *files, const char *db,const char *path,
 	  if (wild_case_compare(system_charset_info,file->name,wild))
 	    continue;
 	}
-	else if (wild_compare(file->name,wild))
+	else if (wild_compare(file->name,wild,0))
 	  continue;
       }
     }
@@ -1031,7 +1031,7 @@ store_create_info(THD *thd, TABLE *table, String *packet)
   my_bool limited_mysql_mode= (thd->variables.sql_mode &
 			       (MODE_NO_FIELD_OPTIONS | MODE_MYSQL323 |
 				MODE_MYSQL40)) != 0;
-			       
+
   DBUG_ENTER("store_create_info");
   DBUG_PRINT("enter",("table: %s",table->real_name));
 
diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
index 709181af7fa..a5ac04dc775 100644
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -547,7 +547,6 @@ bool my_yyoverflow(short **a, YYSTYPE **b,int *yystacksize);
 %token  SUBJECT_SYM
 %token  CIPHER_SYM
 
-%token  HELP
 %token  BEFORE_SYM
 %left   SET_VAR
 %left	OR_OR_CONCAT OR