SET PASSWORD bugfixes:

* work as documented, use CURRENT_USER() * move the check for ER_PASSWORD_ANONYMOUS_USER where it can actually work

SET PASSWORD bugfixes:
* work as documented, use CURRENT_USER() * move the check for ER_PASSWORD_ANONYMOUS_USER where it can actually work
ac6877d4 · Sergei Golubchik · 4cc8cda3 · ac6877d4 · ac6877d4 · ac6877d4
Commit ac6877d4 authored Oct 18, 2013 by Sergei Golubchik
7 changed files
--- a/mysql-test/r/grant2.result
+++ b/mysql-test/r/grant2.result
@@ -335,7 +335,7 @@ delete from mysql.user where user like 'mysqltest\_1';
 flush privileges;
 drop database mysqltest_1;
 set password = password("changed");
-ERROR 42000: Can't find any matching row in the user table
+ERROR 42000: You are using MariaDB as an anonymous user and anonymous users are not allowed to change passwords
 lock table mysql.user write;
 flush privileges;
 grant all on *.* to 'mysqltest_1'@'localhost';

--- a/mysql-test/r/plugin_auth.result
+++ b/mysql-test/r/plugin_auth.result
@@ -36,8 +36,6 @@ USER()	CURRENT_USER()
 plug@localhost	plug_dest@%
 ## test SET PASSWORD
 SET PASSWORD = PASSWORD('plug_dest');
-Warnings:
-Note	1699	SET PASSWORD has no significance for users authenticating via plugins
 ## test bad credentials
 ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES)
 ## test bad default plugin : should get CR_AUTH_PLUGIN_CANNOT_LOAD
@@ -426,8 +424,6 @@ SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 bug12818542@localhost	bug12818542_dest@localhost
 SET PASSWORD = PASSWORD('bruhaha');
-Warnings:
-Note	1699	SET PASSWORD has no significance for users authenticating via plugins
 SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 bug12818542@localhost	bug12818542_dest@localhost

--- a/mysql-test/t/grant2.test
+++ b/mysql-test/t/grant2.test
@@ -405,7 +405,7 @@ drop database mysqltest_1;
 # But anonymous users can't change their password
 connect (n5,localhost,test,,test,$MASTER_MYPORT,$MASTER_MYSOCK);
 connection n5;
--error ER_PASSWORD_NO_MATCH
+--error ER_PASSWORD_ANONYMOUS_USER
 set password = password("changed");
 disconnect n5;
 connection default;

--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -832,23 +832,7 @@ int set_var_user::update(THD *thd)
 int set_var_password::check(THD *thd)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  if (!user->host.str)
-  {
-    DBUG_ASSERT(thd->security_ctx->priv_host);
-    if (*thd->security_ctx->priv_host != 0)
-    {
-      user->host.str= (char *) thd->security_ctx->priv_host;
-      user->host.length= strlen(thd->security_ctx->priv_host);
-    }
-    else
-      user->host= host_not_specified;
-  }
-  if (user->user.str == current_user.str)
-  {
-    DBUG_ASSERT(thd->security_ctx->user);
-    user->user.str= (char *) thd->security_ctx->user;
-    user->user.length= strlen(thd->security_ctx->user);
-  }
+  user= get_current_user(thd, user);
  /* Returns 1 as the function sends error to client */
  return check_change_password(thd, user->host.str, user->user.str,
                               password, strlen(password)) ? 1 : 0;

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -2883,20 +2883,25 @@ int check_change_password(THD *thd, const char *host, const char *user,
    my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--skip-grant-tables");
    return(1);
  }
+  if (!thd->slave_thread && !thd->security_ctx->priv_user[0])
+  {
+    my_message(ER_PASSWORD_ANONYMOUS_USER, ER(ER_PASSWORD_ANONYMOUS_USER),
+               MYF(0));
+    return(1);
+  }
+  if (!host) // Role
+  {
+    my_error(ER_PASSWORD_NO_MATCH, MYF(0));
+    return 1;
+  }
  if (!thd->slave_thread &&
-      (strcmp(thd->security_ctx->user, user) ||
+      (strcmp(thd->security_ctx->priv_user, user) ||
       my_strcasecmp(system_charset_info, host,
                     thd->security_ctx->priv_host)))
  {
    if (check_access(thd, UPDATE_ACL, "mysql", NULL, NULL, 1, 0))
      return(1);
  }
-  if (!thd->slave_thread && !thd->security_ctx->user[0])
-  {
-    my_message(ER_PASSWORD_ANONYMOUS_USER, ER(ER_PASSWORD_ANONYMOUS_USER),
-               MYF(0));
-    return(1);
-  }
  size_t len= strlen(new_password);
  if (len && len != SCRAMBLED_PASSWORD_CHAR_LENGTH &&
      len != SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
@@ -3037,7 +3042,7 @@ end:

  RETURN
   FALSE  user not fond
-   TRUE   there are such user
+   TRUE   there is such user
 */

 bool is_acl_user(const char *host, const char *user)

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3791,38 +3791,54 @@ end_with_restore_list:

    if (thd->security_ctx->user)              // If not replication
    {
-      LEX_USER *user, *tmp_user;
+      LEX_USER *user;
      bool first_user= TRUE;

      List_iterator <LEX_USER> user_list(lex->users_list);
-      while ((tmp_user= user_list++))
+      while ((user= user_list++))
      {
-        if (!(user= get_current_user(thd, tmp_user)))
-          goto error;
        if (specialflag & SPECIAL_NO_RESOLVE &&
            hostname_requires_resolving(user->host.str))
          push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN,
                              ER_WARN_HOSTNAME_WONT_WORK,
                              ER(ER_WARN_HOSTNAME_WONT_WORK));
-        // Are we trying to change a password of another user
-        DBUG_ASSERT(user->host.str != 0);

        /*
          GRANT/REVOKE PROXY has the target user as a first entry in the list. 
         */
        if (lex->type == TYPE_ENUM_PROXY && first_user)
        {
+          if (!(user= get_current_user(thd, user)) || !user->host.str)
+            goto error;
+
          first_user= FALSE;
          if (acl_check_proxy_grant_access (thd, user->host.str, user->user.str,
                                        lex->grant & GRANT_ACL))
            goto error;
        } 
-        else if (is_acl_user(user->host.str, user->user.str) &&
-                 user->password.str &&
-                 check_change_password (thd, user->host.str, user->user.str, 
-                                        user->password.str, 
-                                        user->password.length))
-          goto error;
+        else if (user->password.str)
+        {
+          // Are we trying to change a password of another user?
+          const char *hostname= user->host.str, *username=user->user.str;
+          bool userok;
+          if (username == current_user.str)
+          {
+            username= thd->security_ctx->priv_user;
+            hostname= thd->security_ctx->priv_host;
+            userok= true;
+          }
+          else
+          {
+            if (!hostname)
+              hostname= host_not_specified.str;
+            userok= is_acl_user(hostname, username);
+          }
+
+          if (userok && check_change_password (thd, hostname, username, 
+                                               user->password.str, 
+                                               user->password.length))
+            goto error;
+        }
      }
    }
    if (first_table)

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -13884,10 +13884,9 @@ option_value:
              my_error(ER_SP_BAD_VAR_SHADOW, MYF(0), pw.str);
              MYSQL_YYABORT;
            }
-            if (!(user=(LEX_USER*) thd->alloc(sizeof(LEX_USER))))
+            if (!(user=(LEX_USER*) thd->calloc(sizeof(LEX_USER))))
              MYSQL_YYABORT;
-            user->host=null_lex_str;
-            user->user.str=thd->security_ctx->user;
+            user->user= current_user;
            set_var_password *var= new set_var_password(user, $3);
            if (var == NULL)
              MYSQL_YYABORT;