Commit 37d35377 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-5998 MySQL Bug#11756966 - 48958: STORED PROCEDURES CAN BE LEVERAGED TO...

MDEV-5998 MySQL Bug#11756966 - 48958: STORED PROCEDURES CAN BE LEVERAGED TO BYPASS DATABASE SECURITY

Merge from mysql-5.6:
revno: 3257
committer: Jon Olav Hauglid <jon.hauglid@oracle.com>
branch nick: mysql-trunk-bug11756966
timestamp: Thu 2011-07-14 09:32:01 +0200
message:
  Bug#11756966 - 48958: STORED PROCEDURES CAN BE LEVERAGED TO BYPASS
                 DATABASE SECURITY

  The problem was that CREATE PROCEDURE/FUCTION could be used to
  check the existence of databases for which the user had no
  privileges and therefore should not be allowed to see.

  The reason was that existence of a given database was checked
  before privileges. So trying to create a stored routine in
  a non-existent database would give a different error than trying
  to create a stored routine in a restricted database.

  This patch fixes the problem by changing the order of the checks
  for CREATE PROCEDURE/FUNCTION so that privileges are checked first.
  This means that trying to create a stored routine in a
  non-existent database and in a restricted database both will
  give ER_DBACCESS_DENIED_ERROR error.

  Test case added to grant.test.
parent 29065d50
...@@ -2525,3 +2525,29 @@ DROP USER mysqltest_u1@localhost; ...@@ -2525,3 +2525,29 @@ DROP USER mysqltest_u1@localhost;
# End of Bug#38347. # End of Bug#38347.
#
# Bug#11756966 - 48958: STORED PROCEDURES CAN BE LEVERAGED TO BYPASS
# DATABASE SECURITY
#
DROP DATABASE IF EXISTS secret;
DROP DATABASE IF EXISTS no_such_db;
CREATE DATABASE secret;
GRANT USAGE ON *.* TO untrusted@localhost;
# Connection con1
SHOW GRANTS;
Grants for untrusted@localhost
GRANT USAGE ON *.* TO 'untrusted'@'localhost'
SHOW DATABASES;
Database
information_schema
test
# Both statements below should fail with the same error.
# They used to give different errors, thereby
# hinting that the secret database exists.
CREATE PROCEDURE no_such_db.foo() BEGIN END;
ERROR 42000: Access denied for user 'untrusted'@'localhost' to database 'no_such_db'
CREATE PROCEDURE secret.peek_at_secret() BEGIN END;
ERROR 42000: Access denied for user 'untrusted'@'localhost' to database 'secret'
# Connection default
DROP USER untrusted@localhost;
DROP DATABASE secret;
...@@ -1130,7 +1130,7 @@ CREATE PROCEDURE p1 () ...@@ -1130,7 +1130,7 @@ CREATE PROCEDURE p1 ()
BEGIN BEGIN
SELECT 'foo' FROM DUAL; SELECT 'foo' FROM DUAL;
END | END |
ERROR 42000: Unknown database 'information_schema' ERROR 42000: Access denied for user 'root'@'localhost' to database 'information_schema'
select ROUTINE_NAME from routines where ROUTINE_SCHEMA='information_schema'; select ROUTINE_NAME from routines where ROUTINE_SCHEMA='information_schema';
ROUTINE_NAME ROUTINE_NAME
grant all on information_schema.* to 'user1'@'localhost'; grant all on information_schema.* to 'user1'@'localhost';
......
...@@ -1852,9 +1852,6 @@ revoke select on Foo.* from myuser@localhost; ...@@ -1852,9 +1852,6 @@ revoke select on Foo.* from myuser@localhost;
delete from mysql.user where User='myuser'; delete from mysql.user where User='myuser';
flush privileges; flush privileges;
# Wait till we reached the initial number of concurrent sessions
--source include/wait_until_count_sessions.inc
--echo ######################################################################### --echo #########################################################################
--echo # --echo #
--echo # Bug#38347: ALTER ROUTINE privilege allows SHOW CREATE TABLE. --echo # Bug#38347: ALTER ROUTINE privilege allows SHOW CREATE TABLE.
...@@ -2177,3 +2174,39 @@ DROP USER mysqltest_u1@localhost; ...@@ -2177,3 +2174,39 @@ DROP USER mysqltest_u1@localhost;
--echo --echo
--echo # End of Bug#38347. --echo # End of Bug#38347.
--echo --echo
--echo #
--echo # Bug#11756966 - 48958: STORED PROCEDURES CAN BE LEVERAGED TO BYPASS
--echo # DATABASE SECURITY
--echo #
--disable_warnings
DROP DATABASE IF EXISTS secret;
DROP DATABASE IF EXISTS no_such_db;
--enable_warnings
CREATE DATABASE secret;
GRANT USAGE ON *.* TO untrusted@localhost;
--echo # Connection con1
connect (con1, localhost, untrusted);
SHOW GRANTS;
SHOW DATABASES;
--echo # Both statements below should fail with the same error.
--echo # They used to give different errors, thereby
--echo # hinting that the secret database exists.
--error ER_DBACCESS_DENIED_ERROR
CREATE PROCEDURE no_such_db.foo() BEGIN END;
--error ER_DBACCESS_DENIED_ERROR
CREATE PROCEDURE secret.peek_at_secret() BEGIN END;
--echo # Connection default
--connection default
disconnect con1;
DROP USER untrusted@localhost;
DROP DATABASE secret;
# Wait till we reached the initial number of concurrent sessions
--source include/wait_until_count_sessions.inc
...@@ -738,7 +738,7 @@ create temporary table schemata(f1 char(10)); ...@@ -738,7 +738,7 @@ create temporary table schemata(f1 char(10));
# Bug#10708 SP's can use INFORMATION_SCHEMA as ROUTINE_SCHEMA # Bug#10708 SP's can use INFORMATION_SCHEMA as ROUTINE_SCHEMA
# #
delimiter |; delimiter |;
--error ER_BAD_DB_ERROR --error ER_DBACCESS_DENIED_ERROR
CREATE PROCEDURE p1 () CREATE PROCEDURE p1 ()
BEGIN BEGIN
SELECT 'foo' FROM DUAL; SELECT 'foo' FROM DUAL;
......
...@@ -4479,6 +4479,10 @@ end_with_restore_list: ...@@ -4479,6 +4479,10 @@ end_with_restore_list:
goto create_sp_error; goto create_sp_error;
} }
if (check_access(thd, CREATE_PROC_ACL, lex->sphead->m_db.str,
NULL, NULL, 0, 0))
goto create_sp_error;
/* /*
Check that a database directory with this name Check that a database directory with this name
exists. Design note: This won't work on virtual databases exists. Design note: This won't work on virtual databases
...@@ -4490,10 +4494,6 @@ end_with_restore_list: ...@@ -4490,10 +4494,6 @@ end_with_restore_list:
goto create_sp_error; goto create_sp_error;
} }
if (check_access(thd, CREATE_PROC_ACL, lex->sphead->m_db.str,
NULL, NULL, 0, 0))
goto create_sp_error;
name= lex->sphead->name(&namelen); name= lex->sphead->name(&namelen);
#ifdef HAVE_DLOPEN #ifdef HAVE_DLOPEN
if (lex->sphead->m_type == TYPE_ENUM_FUNCTION) if (lex->sphead->m_type == TYPE_ENUM_FUNCTION)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment