Bug #23675 Partitions: possible security breach via alter

now we return different error message if user doesn't have SELECT grants mysql-test/r/partition_grant.result: test result mysql-test/t/partition_grant.test: testcase sql/mysql_priv.h: no_errors parameter added to check_single_table_access() sql/partition_info.cc: access rights control added to the print_no_partition() sql/share/errmsg.txt: message added sql/sql_base.cc: no_errors parameter added to check_single_table_access() sql/sql_parse.cc: no_errors parameter added to check_single_table_access()

Bug #23675 Partitions: possible security breach via alter
now we return different error message if user doesn't have SELECT grants mysql-test/r/partition_grant.result: test result mysql-test/t/partition_grant.test: testcase sql/mysql_priv.h: no_errors parameter added to check_single_table_access() sql/partition_info.cc: access rights control added to the print_no_partition() sql/share/errmsg.txt: message added sql/sql_base.cc: no_errors parameter added to check_single_table_access() sql/sql_parse.cc: no_errors parameter added to check_single_table_access()
93e11dce · unknown · c2426620 · 93e11dce · 93e11dce · 93e11dce
Commit 93e11dce authored Apr 04, 2007 by unknown
7 changed files
--- a/mysql-test/r/partition_grant.result
+++ b/mysql-test/r/partition_grant.result
@@ -19,7 +19,16 @@ revoke alter on mysqltest_1.* from mysqltest_1@localhost;
 alter table t1 drop partition p3;
 ERROR 42000: ALTER command denied to user 'mysqltest_1'@'localhost' for table 't1'
 revoke select,alter,drop on mysqltest_1.* from mysqltest_1@localhost;
-drop user mysqltest_1@localhost;
 drop table t1;
+create table t1 (s1 int);
+insert into t1 values (1);
+grant alter on mysqltest_1.* to mysqltest_1@localhost;
+alter table t1 partition by list (s1) (partition p1 values in (2));
+ERROR HY000: Table has no partition for some existing values
+grant select, alter on mysqltest_1.* to mysqltest_1@localhost;
+alter table t1 partition by list (s1) (partition p1 values in (2));
+ERROR HY000: Table has no partition for value 1
+drop table t1;
+drop user mysqltest_1@localhost;
 drop schema mysqltest_1;
 End of 5.1 tests
--- a/mysql-test/t/partition_grant.test
+++ b/mysql-test/t/partition_grant.test
@@ -52,8 +52,30 @@ disconnect conn3;
 connection default;

 revoke select,alter,drop on mysqltest_1.* from mysqltest_1@localhost;
-drop user mysqltest_1@localhost;
 drop table t1;
+
+#
+# Bug #23675 Partitions: possible security breach via alter 
+#
+
+create table t1 (s1 int);
+insert into t1 values (1);
+grant alter on mysqltest_1.* to mysqltest_1@localhost;
+connect (conn4,localhost,mysqltest_1,,mysqltest_1);
+connection conn4;
+--error 1514
+alter table t1 partition by list (s1) (partition p1 values in (2));
+connection default;
+grant select, alter on mysqltest_1.* to mysqltest_1@localhost;
+disconnect conn4;
+connect (conn5,localhost,mysqltest_1,,mysqltest_1);
+--error 1514
+alter table t1 partition by list (s1) (partition p1 values in (2));
+disconnect conn5;
+connection default;
+drop table t1;
+
+drop user mysqltest_1@localhost;
 drop schema mysqltest_1;

 --echo End of 5.1 tests
--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -598,7 +598,7 @@ class THD;
 void close_thread_tables(THD *thd, bool locked=0, bool skip_derived=0);
 bool check_one_table_access(THD *thd, ulong privilege, TABLE_LIST *tables);
 bool check_single_table_access(THD *thd, ulong privilege,
-			   TABLE_LIST *tables);
+			   TABLE_LIST *tables, bool no_errors);
 bool check_routine_access(THD *thd,ulong want_access,char *db,char *name,
 			  bool is_proc, bool no_errors);
 bool check_some_access(THD *thd, ulong want_access, TABLE_LIST *table);

--- a/sql/partition_info.cc
+++ b/sql/partition_info.cc
@@ -849,8 +849,19 @@ void partition_info::print_no_partition_found(TABLE *table)
 {
  char buf[100];
  char *buf_ptr= (char*)&buf;
-  my_bitmap_map *old_map= dbug_tmp_use_all_columns(table, table->read_set);
+  TABLE_LIST table_list;
+
+  bzero(&table_list, sizeof(table_list));
+  table_list.db= table->s->db.str;
+  table_list.table_name= table->s->table_name.str;

+  if (check_single_table_access(current_thd,
+                                SELECT_ACL, &table_list, TRUE))
+    my_message(ER_NO_PARTITION_FOR_GIVEN_VALUE,
+               ER(ER_NO_PARTITION_FOR_GIVEN_VALUE_SILENT), MYF(0));
+  else
+  {
+    my_bitmap_map *old_map= dbug_tmp_use_all_columns(table, table->read_set);
    if (part_expr->null_value)
      buf_ptr= (char*)"NULL";
    else
@@ -858,6 +869,7 @@ void partition_info::print_no_partition_found(TABLE *table)
                   part_expr->unsigned_flag ? 10 : -10);
    my_error(ER_NO_PARTITION_FOR_GIVEN_VALUE, MYF(0), buf_ptr);
    dbug_tmp_restore_column_map(table->read_set, old_map);
+  }
 }
 /*
  Set up buffers and arrays for fields requiring preparation

--- a/sql/share/errmsg.txt
+++ b/sql/share/errmsg.txt
@@ -6053,3 +6053,5 @@ ER_DUP_ENTRY_WITH_KEY_NAME 23000 S1009
 ER_BINLOG_PURGE_EMFILE
        eng "Too many files opened, please execute the command again"
        ger "Zu viele offene Dateien, bitte fhren Sie den Befehl noch einmal aus"
+ER_NO_PARTITION_FOR_GIVEN_VALUE_SILENT
+        eng "Table has no partition for some existing values"
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -5781,7 +5781,7 @@ bool setup_tables_and_check_access(THD *thd,
  {
    if (leaves_tmp->belong_to_view && 
        check_single_table_access(thd, first_table ? want_access_first :
-                                  want_access,  leaves_tmp))
+                                  want_access, leaves_tmp, FALSE))
    {
      tables->hide_view_error(thd);
      return TRUE;

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -4433,6 +4433,8 @@ static bool execute_sqlcom_select(THD *thd, TABLE_LIST *all_tables)
    thd			Thread handler
    privilege		requested privilege
    all_tables		global table list of query
+    no_errors           FALSE/TRUE - report/don't report error to
+                            the client (using my_error() call).

  RETURN
    0 - OK
@@ -4440,7 +4442,7 @@ static bool execute_sqlcom_select(THD *thd, TABLE_LIST *all_tables)
 */

 bool check_single_table_access(THD *thd, ulong privilege, 
-                               TABLE_LIST *all_tables)
+                               TABLE_LIST *all_tables, bool no_errors)
 {
  Security_context * backup_ctx= thd->security_ctx;

@@ -4456,12 +4458,12 @@ bool check_single_table_access(THD *thd, ulong privilege,
    db_name= all_tables->db;

  if (check_access(thd, privilege, db_name,
-		   &all_tables->grant.privilege, 0, 0,
+		   &all_tables->grant.privilege, 0, no_errors,
                   test(all_tables->schema_table)))
    goto deny;

  /* Show only 1 table for check_grant */
-  if (grant_option && check_grant(thd, privilege, all_tables, 0, 1, 0))
+  if (grant_option && check_grant(thd, privilege, all_tables, 0, 1, no_errors))
    goto deny;

  thd->security_ctx= backup_ctx;
@@ -4489,7 +4491,7 @@ bool check_single_table_access(THD *thd, ulong privilege,

 bool check_one_table_access(THD *thd, ulong privilege, TABLE_LIST *all_tables)
 {
-  if (check_single_table_access (thd,privilege,all_tables))
+  if (check_single_table_access (thd,privilege,all_tables, FALSE))
    return 1;

  /* Check rights on tables of subselects and implictly opened tables */
@@ -4502,7 +4504,7 @@ bool check_one_table_access(THD *thd, ulong privilege, TABLE_LIST *all_tables)
    */
    if (view && subselects_tables->belong_to_view == view)
    {
-      if (check_single_table_access (thd, privilege, subselects_tables))
+      if (check_single_table_access (thd, privilege, subselects_tables, FALSE))
        return 1;
      subselects_tables= subselects_tables->next_global;
    }