From 3bad2119f9dedc581bf3b9d7335740f563db5803 Mon Sep 17 00:00:00 2001 From: Martin Hansson Date: Wed, 3 Sep 2008 16:45:40 +0200 Subject: Bug#36086: SELECT * from views don't check column grants This patch also fixes bugs 36963 and 35600. - In many places a view was confused with an anonymous derived table, i.e. access checking was skipped. Fixed by introducing a predicate to tell the difference between named and anonymous derived tables. - When inserting fields for "SELECT * ", there was no distinction between base tables and views, where one should be made. View privileges are checked elsewhere. mysql-test/include/grant_cache.inc: Bug#36086: Changed test case. mysql-test/r/grant2.result: Bug#36086: Changed test result. mysql-test/r/grant_cache_no_prot.result: Bug#36086: Changed test result. mysql-test/r/grant_cache_ps_prot.result: Bug#36086: Changed test result. mysql-test/r/view_grant.result: Bug#36086: Test result. mysql-test/t/grant2.test: Bug#36086: Changed test case. mysql-test/t/view_grant.test: Bug#36086: Test case. sql/item.cc: Bug#36086: Replaced conditional with new methods. sql/sql_acl.cc: Bug no 35600: In mysql_table_grant: Replaced conditional with the new accessor method. In check_grant: - Changed the requirement table->derived != null to checking all anonymous derived tables. - Use of the accessor methods for getting object and database names. Bug#36086: In check_grant_all_columns: - Updated comment. This function is now called for views as well. - The error message should not disclose any column names unless the user has privilege to see all column names. - Changed names of Field_iterator_table_ref methods. sql/sql_base.cc: Bug no 36963: In insert_fields() - Commented. - We should call check_grant_all_columns() for views in this case. - Changed names of Field_iterator_table_ref methods. - We should not disclose column names in the error message when the user has no approprate privilege. sql/sql_cache.cc: Bug#36086: Replaced test with new predicate method. sql/sql_derived.cc: Bug#36086: commenting only. Updated and doxygenated comment for mysql_derived_prepare(). sql/sql_parse.cc: Bug no 35600: - In check_single_table_access: Due to the bug, check_grant would raise an error for a SHOW CREATE TABLE command for a TEMPTABLE view. It should in fact not be be invoked in this case. This table privilege is checked already. There is a test case for this in information_schema_db.test. - In check_access: replaced table->derived sql/table.cc: Bug#36086: - In TABLE_LIST::set_underlying_merge(): Commenting only. Doxygenated, corrected spelling, added. - Renamed table_name() and db_name() methods of Field_iterator_table_ref in order to be consistent with new methods in TABLE_LIST. sql/table.h: Bug#36086: - Commented GRANT_INFO. - Added a predicate is_anonymous_derived_table() to TABLE_LIST. - Added get_table_name() and get_db_name() to TABLE_LIST in order to hide the disparate representation of these properties. --- sql/sql_derived.cc | 76 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 53 insertions(+), 23 deletions(-) (limited to 'sql/sql_derived.cc') diff --git a/sql/sql_derived.cc b/sql/sql_derived.cc index 10b42e11b26..41be98621a6 100644 --- a/sql/sql_derived.cc +++ b/sql/sql_derived.cc @@ -73,29 +73,59 @@ out: } -/* - Create temporary table structure (but do not fill it) - - SYNOPSIS - mysql_derived_prepare() - thd Thread handle - lex LEX for this thread - orig_table_list TABLE_LIST for the upper SELECT - - IMPLEMENTATION - Derived table is resolved with temporary table. - - After table creation, the above TABLE_LIST is updated with a new table. - - This function is called before any command containing derived table - is executed. - - Derived tables is stored in thd->derived_tables and freed in - close_thread_tables() - - RETURN - FALSE OK - TRUE Error +/** + @brief Create temporary table structure (but do not fill it). + + @param thd Thread handle + @param lex LEX for this thread + @param orig_table_list TABLE_LIST for the upper SELECT + + @details + + This function is called before any command containing derived tables is + executed. Currently the function is used for derived tables, i.e. + + - Anonymous derived tables, or + - Named derived tables (aka views) with the @c TEMPTABLE algorithm. + + The table reference, contained in @c orig_table_list, is updated with the + fields of a new temporary table. + + Derived tables are stored in @c thd->derived_tables and closed by + close_thread_tables(). + + This function is part of the procedure that starts in + open_and_lock_tables(), a procedure that - among other things - introduces + new table and table reference objects (to represent derived tables) that + don't exist in the privilege database. This means that normal privilege + checking cannot handle them. Hence this function does some extra tricks in + order to bypass normal privilege checking, by exploiting the fact that the + current state of privilege verification is attached as GRANT_INFO structures + on the relevant TABLE and TABLE_REF objects. + + For table references, the current state of accrued access is stored inside + TABLE_LIST::grant. Hence this function must update the state of fulfilled + privileges for the new TABLE_LIST, an operation which is normally performed + exclusively by the table and database access checking functions, + check_access() and check_grant(), respectively. This modification is done + for both views and anonymous derived tables: The @c SELECT privilege is set + as fulfilled by the user. However, if a view is referenced and the table + reference is queried against directly (see TABLE_LIST::referencing_view), + the state of privilege checking (GRANT_INFO struct) is copied as-is to the + temporary table. + + This function implements a signature called "derived table processor", and + is passed as a function pointer to mysql_handle_derived(). + + @note This function sets @c SELECT_ACL for @c TEMPTABLE views as well as + anonymous derived tables, but this is ok since later access checking will + distinguish between them. + + @see mysql_handle_derived(), mysql_derived_filling(), GRANT_INFO + + @return + false OK + true Error */ bool mysql_derived_prepare(THD *thd, LEX *lex, TABLE_LIST *orig_table_list) -- cgit v1.2.1