• unknown's avatar
    Bug#18630: Arguments of suid routine calculated in wrong security · cd05976d
    unknown authored
               context.
    
    Routine arguments were evaluated in the security context of the routine
    itself, not in the caller's context.
    
    The bug is fixed the following way:
    
      - Item_func_sp::find_and_check_access() has been split into two
        functions: Item_func_sp::find_and_check_access() itself only
        finds the function and check that the caller have EXECUTE privilege
        on it.  New function set_routine_security_ctx() changes security
        context for SUID routines and checks that definer have EXECUTE
        privilege too.
    
      - new function sp_head::execute_trigger() is called from
        Table_triggers_list::process_triggers() instead of
        sp_head::execute_function(), and is effectively just as the
        sp_head::execute_function() is, with all non-trigger related code
        removed, and added trigger-specific security context switch.
    
      - call to Item_func_sp::find_and_check_access() stays outside
        of sp_head::execute_function(), and there is a code in
        sql_parse.cc before the call to sp_head::execute_procedure() that
        checks that the caller have EXECUTE privilege, but both
        sp_head::execute_function() and sp_head::execute_procedure() call
        set_routine_security_ctx() after evaluating their parameters,
        and restore the context after the body is executed.
    
    
    mysql-test/r/sp-security.result:
      Add test case for bug#18630: Arguments of suid routine calculated
      in wrong security context.
    mysql-test/t/sp-security.test:
      Add result for bug#18630: Arguments of suid routine calculated
      in wrong security context.
    sql/item_func.cc:
      Do not change security context before executing the function, as it
      will be changed after argument evaluation.
      Do not change security context in Item_func_sp::find_and_check_access().
    sql/item_func.h:
      Change prototype for Item_func_sp::find_and_check_access().
    sql/sp_head.cc:
      Add set_routine_security_ctx() function.
      Add sp_head::execute_trigger() method.
      Change security context in sp_head::execute_trigger(), and in
      sp_head::execute_function() and sp_head::execute_procedure()
      after argument evaluation.
      Move pop_all_cursors() call to sp_head::execute().
    sql/sp_head.h:
      Add declaration for sp_head::execute_trigger() and
      set_routine_security_ctx().
    sql/sql_parse.cc:
      Do not change security context before executing the procedure, as it
      will be changed after argument evaluation.
    sql/sql_trigger.cc:
      Call new sp_head::execute_trigger() instead of
      sp_head::execute_function(), which is responsible to switch
      security context.
    cd05976d
sp_head.h 28 KB