Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22374

VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Stalled (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 5.5, 10.1, 10.2, 10.3, 10.4, 10.5
    • Fix Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
    • Component/s: Views
    • Labels:
      None

      Description

       
      create user test@localhost;
      grant select on test.* to test@localhost;
       
      create table t1 (a int);
      create definer=test@localhost sql security definer view v1 as select * from t1;
       
      --echo # check that ot works without view
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from t1;
      --echo # check that ot works without file
      select * from v1;
       
      --echo # rights for file should be taken from current user not view
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select count(*) from v1) as dv1;
      --echo # rights for file should be taken from current user not view
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select * from v1) as dv1;
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from v1;
       
      --remove_file $MYSQL_TMP_DIR/test_out_txt
      drop view v1;
      drop table t1;
      drop user test@localhost;
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sanja Oleksandr Byelkin
              Reporter:
              sanja Oleksandr Byelkin
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: