maria-developers team mailing list archive

Thread
Date

Re: [Commits] 730a22c: Fixed bug mdev-13453 Executing a query via CTE requires more permissions

To: maria-developers@xxxxxxxxxxxxxxxxxxx, commits@xxxxxxxxxxx, Igor Babaev <igor@xxxxxxxxxxxx>
From: Oleksandr Byelkin <sanja@xxxxxxxxxxxxxxxx>
Date: Tue, 14 Nov 2017 15:12:38 +0100
In-reply-to: <20171114000604.56E6612176E@stephan>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0

Am 14.11.2017 um 01:06 schrieb IgorBabaev:

revision-id: 730a22c1ce1010e853e7a3e807d1d07409ec4dfc (mariadb-10.2.10-28-g730a22c)
parent(s): 1e2d4f677e08294691a7d218acb3b9f78727ae18
author: Igor Babaev
committer: Igor Babaev
timestamp: 2017-11-13 16:06:04 -0800
message:

Fixed bug mdev-13453 Executing a query via CTE requires more permissions
than the query itself

ACL checks were not properly supported for tables used in CTE
specifications. This patch fixes the problem.

---
  mysql-test/r/cte_nonrecursive.result | 58 ++++++++++++++++++++++++++++++++++++
  mysql-test/t/cte_nonrecursive.test   | 51 +++++++++++++++++++++++++++++++
  sql/sql_acl.cc                       |  4 +++
  sql/sql_cte.cc                       |  3 +-
  sql/sql_parse.cc                     |  4 +++
  5 files changed, 119 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/cte_nonrecursive.result b/mysql-test/r/cte_nonrecursive.result
index ebe1aae..92f9151 100644
--- a/mysql-test/r/cte_nonrecursive.result
+++ b/mysql-test/r/cte_nonrecursive.result
@@ -1147,3 +1147,61 @@ SELECT * FROM cte_test;
  a
  1
  DROP VIEW cte_test;
+#
+# MDEV-13453:
+#

[skip]

--- a/mysql-test/t/cte_nonrecursive.test
+++ b/mysql-test/t/cte_nonrecursive.test
@@ -790,3 +790,54 @@ SHOW CREATE VIEW cte_test;
  SELECT * FROM cte_test;

DROP VIEW cte_test;

+
+--echo #
+--echo # MDEV-13453: privileges checking for CTE
+--echo #
+

This is for sure do not match results above, so please fix it and makesure that full test suite passed.


[skip]

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -7557,6 +7557,10 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
        tl->correspondent_table ? tl->correspondent_table : tl;
      sctx= t_ref->security_ctx ? t_ref->security_ctx : thd->security_ctx;

+ if (tl->with ||

+        (tl->with= tl->select_lex->find_table_def_in_with_clauses(tl)))
+      continue;
+
      const ACL_internal_table_access *access=
        get_cached_table_access(&t_ref->grant.m_internal,
                                t_ref->get_db_name(),
diff --git a/sql/sql_cte.cc b/sql/sql_cte.cc
index 6fe08e3..e1bd455 100644
--- a/sql/sql_cte.cc
+++ b/sql/sql_cte.cc
@@ -823,9 +823,10 @@ st_select_lex_unit *With_element::clone_parsed_spec(THD *thd,
         tbl;
         tbl= tbl->next_global)
    {
-    tbl->grant.privilege= with_table->grant.privilege;
      spec_tables_tail= tbl;
    }
+  if (check_table_access(thd, SELECT_ACL, spec_tables, FALSE, UINT_MAX, FALSE))
+    goto err;
    if (spec_tables)
    {
      if (with_table->next_global)
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index bf5144b..39a4da9 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3443,6 +3443,10 @@ mysql_execute_command(THD *thd)
      ulong privileges_requested= lex->exchange ? SELECT_ACL | FILE_ACL :
        SELECT_ACL;

+ res= check_dependencies_in_with_clauses(thd->lex->with_clauses_list);

+    if (res)
+      break;

Above works only for SELECT, do we support CTE in subselects which canbe put everywhere?

+
      if (all_tables)
        res= check_table_access(thd,
                                privileges_requested,
_______________________________________________
commits mailing list
commits@xxxxxxxxxxx
https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits