From 0b28d7e048fa097280be54f9baffd202f7626bdd Mon Sep 17 00:00:00 2001 From: Praveenkumar Hulakund Date: Wed, 10 Sep 2014 10:50:17 +0530 Subject: Bug#18790730 - CROSS-DATABASE FOREIGN KEY WITHOUT PERMISSIONS CHECK. Analysis: ---------- Issue here is, while creating or altering the InnoDB table, if the foreign key defined on the table references a parent table on which the user has no access privileges then the table is created without reporting any error. Currently the privilege level REFERENCES_ACL is unused and is not used for access evaluation while creating the table with a foreign key constraint or adding the foreign key constraint to a table. But when no privileges are granted to user then also access evaluation on parent table is ignored. Fix: --------- For DMLs, irrelevant of the fact, support does not want any changes to avoid permission checks on every operation. So, as a fix, added a function "check_fk_parent_table_access" to check whether any of the SELECT_ACL, INSERT_ACL, UDPATE_ACL, DELETE_ACL or REFERENCE_ACL privileges are granted for user at table level. If none of them is granted then error is reported. This function is called during the table creation and alter operation. --- sql/sql_parse.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sql/sql_parse.h') diff --git a/sql/sql_parse.h b/sql/sql_parse.h index 9a55174b0fb..f7b4d530543 100644 --- a/sql/sql_parse.h +++ b/sql/sql_parse.h @@ -45,6 +45,9 @@ bool delete_precheck(THD *thd, TABLE_LIST *tables); bool insert_precheck(THD *thd, TABLE_LIST *tables); bool create_table_precheck(THD *thd, TABLE_LIST *tables, TABLE_LIST *create_table); +bool check_fk_parent_table_access(THD *thd, + HA_CREATE_INFO *create_info, + Alter_info *alter_info); bool parse_sql(THD *thd, Parser_state *parser_state, -- cgit v1.2.1