Bug#48319: Server crashes on "GRANT/REVOKE ... TO CURRENT_USER"

CURRENT_USER() in GRANT ... TO CURRENT_USER() only gave us a definer, not a full user (i.e., password-element was not initiliazed). Hence dereferencing the password led to a crash. Properly initializes definers now, just so there are no misunderstandings. Also does some magic so IDENTIFIED BY ... works with CURRENT_USER().

Bug#48319: Server crashes on "GRANT/REVOKE ... TO CURRENT_USER"
CURRENT_USER() in GRANT ... TO CURRENT_USER() only gave us a definer, not a full user (i.e., password-element was not initiliazed). Hence dereferencing the password led to a crash. Properly initializes definers now, just so there are no misunderstandings. Also does some magic so IDENTIFIED BY ... works with CURRENT_USER().
305f78c3 · Tatiana A. Nurnberg · fccc33a3 · 305f78c3 · 305f78c3 · 305f78c3
Commit 305f78c3 authored Oct 29, 2009 by Tatiana A. Nurnberg
Showing with 74 additions and 0 deletions

mysql-test/r/grant2.result mysql-test/r/grant2.result +27 -0

mysql-test/t/grant2.test mysql-test/t/grant2.test +35 -0

sql/sql_acl.cc sql/sql_acl.cc +7 -0

sql/sql_parse.cc sql/sql_parse.cc +5 -0

No files found.
--- a/mysql-test/r/grant2.result
+++ b/mysql-test/r/grant2.result
@@ -443,3 +443,30 @@ DROP TABLE db1.t1, db1.t2;
 DROP USER mysqltest1@localhost;
 DROP DATABASE db1;
 End of 5.0 tests
+USE mysql;
+SELECT LEFT(CURRENT_USER(),INSTR(CURRENT_USER(),'@')-1) INTO @u;
+SELECT MID(CURRENT_USER(),INSTR(CURRENT_USER(),'@')+1)  INTO @h;
+SELECT password FROM user WHERE user=@u AND host=@h INTO @pwd;
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+user	host	password	insert_priv
+root	localhost		Y
+UPDATE user SET insert_priv='N' WHERE user=@u AND host=@h;
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+user	host	password	insert_priv
+root	localhost		N
+GRANT INSERT ON *.* TO CURRENT_USER();
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+user	host	password	insert_priv
+root	localhost		Y
+UPDATE user SET insert_priv='N' WHERE user=@u AND host=@h;
+GRANT INSERT ON *.* TO CURRENT_USER() IDENTIFIED BY 'keksdose';
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+user	host	password	insert_priv
+root	localhost	*0BB7188CF0DE9B403BA66E9DD810D82652D002EB	Y
+UPDATE user SET password=@pwd WHERE user=@u AND host=@h;
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+user	host	password	insert_priv
+root	localhost		Y
+FLUSH PRIVILEGES;
+USE test;
+End of 5.1 tests
--- a/mysql-test/t/grant2.test
+++ b/mysql-test/t/grant2.test
@@ -632,5 +632,40 @@ DROP DATABASE db1;

 --echo End of 5.0 tests

+#
+# Bug #48319: Server crashes on "GRANT/REVOKE ... TO CURRENT_USER"
+#
+
+# work out who we are.
+USE mysql;
+SELECT LEFT(CURRENT_USER(),INSTR(CURRENT_USER(),'@')-1) INTO @u;
+SELECT MID(CURRENT_USER(),INSTR(CURRENT_USER(),'@')+1)  INTO @h;
+SELECT password FROM user WHERE user=@u AND host=@h INTO @pwd;
+
+# show current privs.
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+
+# toggle INSERT
+UPDATE user SET insert_priv='N' WHERE user=@u AND host=@h;
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+
+# show that GRANT ... TO CURRENT_USER() no longer crashes
+GRANT INSERT ON *.* TO CURRENT_USER();
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+UPDATE user SET insert_priv='N' WHERE user=@u AND host=@h;
+
+# show that GRANT ... TO CURRENT_USER() IDENTIFIED BY ... works now
+GRANT INSERT ON *.* TO CURRENT_USER() IDENTIFIED BY 'keksdose';
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+
+UPDATE user SET password=@pwd WHERE user=@u AND host=@h;
+SELECT user,host,password,insert_priv FROM user WHERE user=@u AND host=@h;
+
+FLUSH PRIVILEGES;
+
+USE test;
+
+--echo End of 5.1 tests
+
 # Wait till we reached the initial number of concurrent sessions
 --source include/wait_until_count_sessions.inc
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -3451,6 +3451,13 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list,
      result= TRUE;
      continue;
    }
+    /*
+      No User, but a password?
+      They did GRANT ... TO CURRENT_USER() IDENTIFIED BY ... !
+      Get the current user, and shallow-copy the new password to them!
+    */
+    if (!tmp_Str->user.str && tmp_Str->password.str)
+      Str->password= tmp_Str->password;
    if (replace_user_table(thd, tables[0].table, *Str,
                           (!db ? rights : 0), revoke_grant, create_new_users,
                           test(thd->variables.sql_mode &

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -7573,6 +7573,9 @@ void get_default_definer(THD *thd, LEX_USER *definer)

  definer->host.str= (char *) sctx->priv_host;
  definer->host.length= strlen(definer->host.str);
+
+  definer->password.str= NULL;
+  definer->password.length= 0;
 }


@@ -7624,6 +7627,8 @@ LEX_USER *create_definer(THD *thd, LEX_STRING *user_name, LEX_STRING *host_name)

  definer->user= *user_name;
  definer->host= *host_name;
+  definer->password.str= NULL;
+  definer->password.length= 0;

  return definer;
 }