Bug#45412 SHOW CREATE TRIGGER does not require privileges to disclose trigger data

Added privilege checking to SHOW CREATE TRIGGER code. mysql-test/r/trigger_notembedded.result: test result mysql-test/t/trigger_notembedded.test: test case sql/sql_show.cc: Added privilege checking to SHOW CREATE TRIGGER code.

Bug#45412 SHOW CREATE TRIGGER does not require privileges to disclose trigger data
Added privilege checking to SHOW CREATE TRIGGER code. mysql-test/r/trigger_notembedded.result: test result mysql-test/t/trigger_notembedded.test: test case sql/sql_show.cc: Added privilege checking to SHOW CREATE TRIGGER code.
5eab9716 · Sergey Glukhov · 1d9b7877 · 5eab9716 · 5eab9716 · 5eab9716
Commit 5eab9716 authored Jun 25, 2009 by Sergey Glukhov
Showing with 43 additions and 0 deletions

mysql-test/r/trigger_notembedded.result mysql-test/r/trigger_notembedded.result +14 -0

mysql-test/t/trigger_notembedded.test mysql-test/t/trigger_notembedded.test +23 -0

sql/sql_show.cc sql/sql_show.cc +6 -0

No files found.
--- a/mysql-test/r/trigger_notembedded.result
+++ b/mysql-test/r/trigger_notembedded.result
@@ -462,4 +462,18 @@ unlock tables;
 select * from t1;
 i
 drop table t1;
+CREATE DATABASE db1;
+CREATE TABLE db1.t1 (a char(30)) ENGINE=MEMORY;
+CREATE TRIGGER db1.trg AFTER INSERT ON db1.t1 FOR EACH ROW
+INSERT INTO db1.t1 VALUES('Some very sensitive data goes here');
+CREATE USER 'no_rights'@'localhost';
+REVOKE ALL ON *.* FROM 'no_rights'@'localhost';
+FLUSH PRIVILEGES;
+SELECT trigger_name FROM INFORMATION_SCHEMA.TRIGGERS
+WHERE trigger_schema = 'db1';
+trigger_name
+SHOW CREATE TRIGGER db1.trg;
+ERROR 42000: Access denied; you need the TRIGGER privilege for this operation
+DROP USER 'no_rights'@'localhost';
+DROP DATABASE db1;
 End of 5.1 tests.
--- a/mysql-test/t/trigger_notembedded.test
+++ b/mysql-test/t/trigger_notembedded.test
@@ -909,4 +909,27 @@ select * from t1;
 drop table t1;
 disconnect flush;

+#
+# Bug#45412 SHOW CREATE TRIGGER does not require privileges to disclose trigger data
+#
+CREATE DATABASE db1;
+CREATE TABLE db1.t1 (a char(30)) ENGINE=MEMORY;
+CREATE TRIGGER db1.trg AFTER INSERT ON db1.t1 FOR EACH ROW
+ INSERT INTO db1.t1 VALUES('Some very sensitive data goes here');
+
+CREATE USER 'no_rights'@'localhost';
+REVOKE ALL ON *.* FROM 'no_rights'@'localhost';
+FLUSH PRIVILEGES;
+
+connect (con1,localhost,no_rights,,);
+SELECT trigger_name FROM INFORMATION_SCHEMA.TRIGGERS
+ WHERE trigger_schema = 'db1';
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW CREATE TRIGGER db1.trg;
+
+connection default;
+disconnect con1;
+DROP USER 'no_rights'@'localhost';
+DROP DATABASE db1;
+
 --echo End of 5.1 tests.
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -7071,6 +7071,12 @@ bool show_create_trigger(THD *thd, const sp_name *trg_name)
  if (!lst)
    return TRUE;

+  if (check_table_access(thd, TRIGGER_ACL, lst, 1, TRUE))
+  {
+    my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), "TRIGGER");
+    return TRUE;
+  }
+
  /*
    Open the table by name in order to load Table_triggers_list object.