Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7025

ANALYZE SELECT/INSERT/UPDATE/DELETE from a view does not check access permissions on the underlying table

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: 10.1.1
        • Fix Version/s: 10.1.4
        • Component/s: Views
        • Labels:

          Description

          Test case
          
--enable_connect_log
create database db;
use db;
create table t1 (i int, c varchar(8));
insert into t1 values (1,'foo'),(2,'bar'),(3,'baz'),(4,'qux');
create view v1 as select * from t1 where i > 1;
grant all on db.v1 to u1@localhost;

--connect (con1,localhost,u1,,)

--error ER_TABLEACCESS_DENIED_ERROR
select * from db.t1;
--error ER_TABLEACCESS_DENIED_ERROR
explain select * from db.t1;
--error ER_TABLEACCESS_DENIED_ERROR
analyze select * from db.t1;

select * from db.v1;
--error ER_VIEW_NO_EXPLAIN
explain select * from db.v1;
--error ER_VIEW_NO_EXPLAIN
analyze select * from db.v1;

--disconnect con1
--connection default

drop user u1@localhost;
drop database db;

          The last statement should fail just like the previous one does, but it succeeds (and reveals the underlying t1 table in the output).

          Same for INSERT, UPDATE, DELETE.

            Gliffy Diagrams

              Attachments

                Issue Links

                relates to

                Technical task - A technical task. MDEV-6422 More QA for ANALYZE stmt and JSON

                • Major - Major loss of function.
                • In Progress

                Task - A task that needs to be done. MDEV-406 ANALYZE $stmt

                • Major - Major loss of function.
                • Closed

                Task - A task that needs to be done. MDEV-6382 ANALYZE $stmt and security

                • Major - Major loss of function.
                • Closed

                  Activity

                  Ascending order - Click to sort in descending order
                  Hide
                  Permalink
                  psergey Sergei Petrunia added a comment -

                  review feedback provided over email

                  Show
                  psergey Sergei Petrunia added a comment - review feedback provided over email
                  Hide
                  Permalink
                  cvicentiu Vicentiu Ciorbaru added a comment -

                  Added access checks to be performed for the analyze statement, similarly to how it was done for EXPLAIN and SHOW VIEW.

                  Fixed with:
                  0ed57e34c76ffa5e457e1abb402ada6352fb52b2

                  Show
                  cvicentiu Vicentiu Ciorbaru added a comment - Added access checks to be performed for the analyze statement, similarly to how it was done for EXPLAIN and SHOW VIEW. Fixed with: 0ed57e34c76ffa5e457e1abb402ada6352fb52b2

                    People

                    • Assignee:
                      cvicentiu Vicentiu Ciorbaru
                      Reporter:
                      elenst Elena Stepanova
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      3 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Time Tracking

                        Estimated:
                        Original Estimate - Not Specified
                        Not Specified
                        Remaining:
                        Remaining Estimate - 0 minutes
                        0m
                        Logged:
                        Time Spent - 2 hours
                        2h