Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22374

VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE

    XMLWordPrintable

Details

    • Bug
    • Status: Stalled (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 5.5(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
    • 10.5, 10.6
    • Views
    • None

    Description

       
      create user test@localhost;
      grant select on test.* to test@localhost;
       
      create table t1 (a int);
      create definer=test@localhost sql security definer view v1 as select * from t1;
       
      --echo # check that ot works without view
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from t1;
      --echo # check that ot works without file
      select * from v1;
       
      --echo # rights for file should be taken from current user not view
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select count(*) from v1) as dv1;
      --echo # rights for file should be taken from current user not view
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select * from v1) as dv1;
      --eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from v1;
       
      --remove_file $MYSQL_TMP_DIR/test_out_txt
      drop view v1;
      drop table t1;
      drop user test@localhost;
      

      Attachments

        Issue Links

          Activity

            People

              sanja Oleksandr Byelkin
              sanja Oleksandr Byelkin
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.