From 047eb2258dfc0ad4004e51094c144873f70b3386 Mon Sep 17 00:00:00 2001 From: Alexey Botchkov Date: Wed, 17 Mar 2021 18:28:31 +0400 Subject: [PATCH] MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check. access rights checking fixed. --- mysql-test/suite/json/r/json_table.result | 2 ++ mysql-test/suite/json/t/json_table.test | 6 ++++++ sql/sql_acl.cc | 14 ++++---------- sql/sql_parse.cc | 7 +++---- 4 files changed, 15 insertions(+), 14 deletions(-) diff --git a/mysql-test/suite/json/r/json_table.result b/mysql-test/suite/json/r/json_table.result index 29157ac6be2..3987b8b8e10 100644 --- a/mysql-test/suite/json/r/json_table.result +++ b/mysql-test/suite/json/r/json_table.result @@ -111,6 +111,8 @@ a select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt; a f {"foo":"bar"} bar +select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q; +ERROR 28000: Access denied for user 'u'@'localhost' (using password: NO) connection default; disconnect con1; drop user u@localhost; diff --git a/mysql-test/suite/json/t/json_table.test b/mysql-test/suite/json/t/json_table.test index c09f3301889..9cfdfe642c3 100644 --- a/mysql-test/suite/json/t/json_table.test +++ b/mysql-test/suite/json/t/json_table.test @@ -74,6 +74,12 @@ grant select (a) on db.t to u@localhost; select a from t; select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt; +# +# MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check +# +--error ER_ACCESS_DENIED_ERROR +select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q; + connection default; disconnect con1; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index eae8f22a881..dcd55a8860c 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -8150,16 +8150,9 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables, if (!want_access) continue; // ok - if (t_ref->table_function) - { - /* Table function doesn't need any privileges to be checked. */ - t_ref->grant.privilege|= TMP_TABLE_ACLS; - t_ref->grant.want_privilege= NO_ACL; - continue; - } - if (!(~t_ref->grant.privilege & want_access) || - t_ref->is_anonymous_derived_table() || t_ref->schema_table) + t_ref->is_anonymous_derived_table() || t_ref->schema_table || + t_ref->table_function) { /* It is subquery in the FROM clause. VIEW set t_ref->derived after @@ -8168,7 +8161,8 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables, NOTE: is_derived() can't be used here because subquery in this case the FROM clase (derived tables) can be not be marked yet. */ - if (t_ref->is_anonymous_derived_table() || t_ref->schema_table) + if (t_ref->is_anonymous_derived_table() || t_ref->schema_table || + t_ref->table_function) { /* If it's a temporary table created for a subquery in the FROM diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 237944be44d..4c331c05735 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -7104,9 +7104,6 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables, if (table_ref->is_anonymous_derived_table()) continue; - if (table_ref->table_function) - continue; - if (table_ref->sequence) { /* We want to have either SELECT or INSERT rights to sequences depending @@ -7116,7 +7113,9 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables, INSERT_ACL : SELECT_ACL); } - if (check_access(thd, want_access, table_ref->get_db_name(), + if (check_access(thd, want_access, + table_ref->table_function ? any_db : + table_ref->get_db_name(), &table_ref->grant.privilege, &table_ref->grant.m_internal, 0, no_errors))