> ------------------------------------------------------------
> revno: 3367 [merge]
> revision-id: joro@sun.com-20100504140328-srxf3c088j2twnq6
> parent: kristofer.pettersson@sun.com-20100503172109-f9hracq5pqsaomb1
> parent: joro@sun.com-20100503151651-nakknn8amrapmdp7
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B53371-5.1-bugteam
> timestamp: Tue 2010-05-04 17:03:28 +0300
> message:
>   Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
>   
>   This is the 5.1 merge and extension of the fix.
>   The server was happily accepting paths in table name in all places a table
>   name is accepted (e.g. a SELECT). This allowed all users that have some 
>   privilege over some database to read all tables in all databases in all
>   mysql server instances that the server file system has access to.
>   Fixed by :
>   1. making sure no path elements are allowed in quoted table name when
>   constructing the path (note that the path symbols are still valid in table names
>   when they're properly escaped by the server).
>   2. checking the #mysql50# prefixed names the same way they're checked for
>   path elements in mysql-5.0.
> ------------------------------------------------------------
> Use --include-merges or -n0 to see merged revisions.