1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check.

Browse Source 
access rights checking fixed.
This commit is contained in:
Alexey Botchkov 2021-03-17 18:28:31 +04:00
parent abdc39b0a7
commit 047eb2258d
4 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mysql-test/suite/json/r/json_table.result
View File

@ -111,6 +111,8 @@ a
select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt; select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt;
a f a f
{"foo":"bar"} bar {"foo":"bar"} bar
select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q;
ERROR 28000: Access denied for user 'u'@'localhost' (using password: NO)
connection default; connection default;
disconnect con1; disconnect con1;
drop user u@localhost; drop user u@localhost;

6
mysql-test/suite/json/t/json_table.test
View File

@ -74,6 +74,12 @@ grant select (a) on db.t to u@localhost;
select a from t; select a from t;
select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt; select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt;
#
# MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check
#
--error ER_ACCESS_DENIED_ERROR
select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q;
connection default; connection default;
disconnect con1; disconnect con1;

14
sql/sql_acl.cc
View File

@ -8150,16 +8150,9 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
if (!want_access) if (!want_access)
continue; // ok continue; // ok
if (t_ref->table_function)
{
/* Table function doesn't need any privileges to be checked. */
t_ref->grant.privilege|= TMP_TABLE_ACLS;
t_ref->grant.want_privilege= NO_ACL;
continue;
}
if (!(~t_ref->grant.privilege & want_access) || if (!(~t_ref->grant.privilege & want_access) ||
t_ref->is_anonymous_derived_table() || t_ref->schema_table) t_ref->is_anonymous_derived_table() || t_ref->schema_table ||
t_ref->table_function)
{ {
/* /*
It is subquery in the FROM clause. VIEW set t_ref->derived after It is subquery in the FROM clause. VIEW set t_ref->derived after
@ -8168,7 +8161,8 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
NOTE: is_derived() can't be used here because subquery in this case NOTE: is_derived() can't be used here because subquery in this case
the FROM clase (derived tables) can be not be marked yet. the FROM clase (derived tables) can be not be marked yet.
*/ */
if (t_ref->is_anonymous_derived_table() || t_ref->schema_table) if (t_ref->is_anonymous_derived_table() || t_ref->schema_table ||
t_ref->table_function)
{ {
/* /*
If it's a temporary table created for a subquery in the FROM If it's a temporary table created for a subquery in the FROM

7
sql/sql_parse.cc
View File

@ -7104,9 +7104,6 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables,
if (table_ref->is_anonymous_derived_table()) if (table_ref->is_anonymous_derived_table())
continue; continue;
if (table_ref->table_function)
continue;
if (table_ref->sequence) if (table_ref->sequence)
{ {
/* We want to have either SELECT or INSERT rights to sequences depending /* We want to have either SELECT or INSERT rights to sequences depending
@ -7116,7 +7113,9 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables,
INSERT_ACL : SELECT_ACL); INSERT_ACL : SELECT_ACL);
} }
if (check_access(thd, want_access, table_ref->get_db_name(), if (check_access(thd, want_access,
table_ref->table_function ? any_db :
table_ref->get_db_name(),
&table_ref->grant.privilege, &table_ref->grant.privilege,
&table_ref->grant.m_internal, &table_ref->grant.m_internal,
0, no_errors)) 0, no_errors))