[MDEV-22374] VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE - Jira

XML

Word

Printable

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 5.5(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Fix Version/s: 10.5, 10.6
Component/s: Views
Labels:
None

Description

create user test@localhost;

grant select on test.* to test@localhost;

create table t1 (a int);

create definer=test@localhost sql security definer view v1 as select * from t1;

--echo # check that ot works without view

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from t1;

--echo # check that ot works without file

select * from v1;

--echo # rights for file should be taken from current user not view

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select count(*) from v1) as dv1;

--echo # rights for file should be taken from current user not view

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select * from v1) as dv1;

--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from v1;

--remove_file $MYSQL_TMP_DIR/test_out_txt

drop view v1;

drop table t1;

drop user test@localhost;

Attachments

Issue Links

is duplicated by

MDEV-28179 OUTFILE from mysql.user lead to an ERROR 1356 (HY000): View 'mysql.user' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them

Closed

relates to

MDEV-22378 load_data() always takes invoker FILE privileges in view

Open

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Oleksandr Byelkin

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2020-04-27 11:44

Updated:: 2024-09-30 13:37

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.