161 lines
6.7 KiB
Diff
161 lines
6.7 KiB
Diff
Back-port upstream fix for CVE-2007-6303.
|
|
|
|
diff -Naur mysql-5.0.45.orig/mysql-test/r/view_grant.result mysql-5.0.45/mysql-test/r/view_grant.result
|
|
--- mysql-5.0.45.orig/mysql-test/r/view_grant.result 2007-07-04 09:49:09.000000000 -0400
|
|
+++ mysql-5.0.45/mysql-test/r/view_grant.result 2007-12-13 14:20:02.000000000 -0500
|
|
@@ -776,15 +776,60 @@
|
|
GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost;
|
|
GRANT SELECT ON db26813.t1 TO u26813@localhost;
|
|
ALTER VIEW v1 AS SELECT f2 FROM t1;
|
|
-ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1'
|
|
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
|
ALTER VIEW v2 AS SELECT f2 FROM t1;
|
|
-ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2'
|
|
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
|
ALTER VIEW v3 AS SELECT f2 FROM t1;
|
|
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
|
SHOW CREATE VIEW v3;
|
|
View Create View
|
|
-v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1`
|
|
+v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1`
|
|
DROP USER u26813@localhost;
|
|
DROP DATABASE db26813;
|
|
+#
|
|
+# Bug#29908: A user can gain additional access through the ALTER VIEW.
|
|
+#
|
|
+CREATE DATABASE mysqltest_29908;
|
|
+USE mysqltest_29908;
|
|
+CREATE TABLE t1(f1 INT, f2 INT);
|
|
+CREATE USER u29908_1@localhost;
|
|
+CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
|
|
+CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
|
|
+SELECT f1 FROM t1;
|
|
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
|
|
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
|
|
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
|
|
+CREATE USER u29908_2@localhost;
|
|
+GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
|
|
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
|
|
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
|
|
+ALTER VIEW v1 AS SELECT f2 FROM t1;
|
|
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
|
+ALTER VIEW v2 AS SELECT f2 FROM t1;
|
|
+ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
|
+SHOW CREATE VIEW v2;
|
|
+View Create View
|
|
+v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
|
|
+ALTER VIEW v1 AS SELECT f2 FROM t1;
|
|
+SHOW CREATE VIEW v1;
|
|
+View Create View
|
|
+v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1`
|
|
+ALTER VIEW v2 AS SELECT f2 FROM t1;
|
|
+SHOW CREATE VIEW v2;
|
|
+View Create View
|
|
+v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1`
|
|
+ALTER VIEW v1 AS SELECT f1 FROM t1;
|
|
+SHOW CREATE VIEW v1;
|
|
+View Create View
|
|
+v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1`
|
|
+ALTER VIEW v2 AS SELECT f1 FROM t1;
|
|
+SHOW CREATE VIEW v2;
|
|
+View Create View
|
|
+v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`
|
|
+DROP USER u29908_1@localhost;
|
|
+DROP USER u29908_2@localhost;
|
|
+DROP DATABASE mysqltest_29908;
|
|
+#######################################################################
|
|
DROP DATABASE IF EXISTS mysqltest1;
|
|
DROP DATABASE IF EXISTS mysqltest2;
|
|
CREATE DATABASE mysqltest1;
|
|
diff -Naur mysql-5.0.45.orig/mysql-test/t/view_grant.test mysql-5.0.45/mysql-test/t/view_grant.test
|
|
--- mysql-5.0.45.orig/mysql-test/t/view_grant.test 2007-07-04 09:49:09.000000000 -0400
|
|
+++ mysql-5.0.45/mysql-test/t/view_grant.test 2007-12-13 14:19:43.000000000 -0500
|
|
@@ -1034,10 +1034,11 @@
|
|
|
|
connect (u1,localhost,u26813,,db26813);
|
|
connection u1;
|
|
---error 1142
|
|
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
ALTER VIEW v1 AS SELECT f2 FROM t1;
|
|
---error 1142
|
|
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
ALTER VIEW v2 AS SELECT f2 FROM t1;
|
|
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
ALTER VIEW v3 AS SELECT f2 FROM t1;
|
|
|
|
connection root;
|
|
@@ -1047,6 +1048,51 @@
|
|
DROP DATABASE db26813;
|
|
disconnect u1;
|
|
|
|
+--echo #
|
|
+--echo # Bug#29908: A user can gain additional access through the ALTER VIEW.
|
|
+--echo #
|
|
+connection root;
|
|
+CREATE DATABASE mysqltest_29908;
|
|
+USE mysqltest_29908;
|
|
+CREATE TABLE t1(f1 INT, f2 INT);
|
|
+CREATE USER u29908_1@localhost;
|
|
+CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
|
|
+CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
|
|
+ SELECT f1 FROM t1;
|
|
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
|
|
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
|
|
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
|
|
+CREATE USER u29908_2@localhost;
|
|
+GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
|
|
+GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
|
|
+GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
|
|
+
|
|
+connect (u2,localhost,u29908_2,,mysqltest_29908);
|
|
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
+ALTER VIEW v1 AS SELECT f2 FROM t1;
|
|
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
+ALTER VIEW v2 AS SELECT f2 FROM t1;
|
|
+SHOW CREATE VIEW v2;
|
|
+
|
|
+connect (u1,localhost,u29908_1,,mysqltest_29908);
|
|
+ALTER VIEW v1 AS SELECT f2 FROM t1;
|
|
+SHOW CREATE VIEW v1;
|
|
+ALTER VIEW v2 AS SELECT f2 FROM t1;
|
|
+SHOW CREATE VIEW v2;
|
|
+
|
|
+connection root;
|
|
+ALTER VIEW v1 AS SELECT f1 FROM t1;
|
|
+SHOW CREATE VIEW v1;
|
|
+ALTER VIEW v2 AS SELECT f1 FROM t1;
|
|
+SHOW CREATE VIEW v2;
|
|
+
|
|
+DROP USER u29908_1@localhost;
|
|
+DROP USER u29908_2@localhost;
|
|
+DROP DATABASE mysqltest_29908;
|
|
+disconnect u1;
|
|
+disconnect u2;
|
|
+--echo #######################################################################
|
|
+
|
|
#
|
|
# BUG#24040: Create View don't succed with "all privileges" on a database.
|
|
#
|
|
diff -Naur mysql-5.0.45.orig/sql/sql_view.cc mysql-5.0.45/sql/sql_view.cc
|
|
--- mysql-5.0.45.orig/sql/sql_view.cc 2007-07-04 09:06:03.000000000 -0400
|
|
+++ mysql-5.0.45/sql/sql_view.cc 2007-12-13 13:30:29.000000000 -0500
|
|
@@ -224,9 +224,6 @@
|
|
{
|
|
LEX *lex= thd->lex;
|
|
bool link_to_local;
|
|
-#ifndef NO_EMBEDDED_ACCESS_CHECKS
|
|
- bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer;
|
|
-#endif
|
|
/* first table in list is target VIEW name => cut off it */
|
|
TABLE_LIST *view= lex->unlink_first_table(&link_to_local);
|
|
TABLE_LIST *tables= lex->query_tables;
|
|
@@ -281,7 +278,7 @@
|
|
- same as current user
|
|
- current user has SUPER_ACL
|
|
*/
|
|
- if (definer_check_is_needed &&
|
|
+ if (lex->definer &&
|
|
(strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 ||
|
|
my_strcasecmp(system_charset_info,
|
|
lex->definer->host.str,
|