Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7025

ANALYZE SELECT/INSERT/UPDATE/DELETE from a view does not check access permissions on the underlying table

Details

    Description

      Test case

      		 
      --enable_connect_log
      		 
      create database db;
      		 
      use db;
      		 
      create table t1 (i int, c varchar(8));
      		 
      insert into t1 values (1,'foo'),(2,'bar'),(3,'baz'),(4,'qux');
      		 
      create view v1 as select * from t1 where i > 1;
      		 
      grant all on db.v1 to u1@localhost;
      		 
       
      		 
      --connect (con1,localhost,u1,,)
      		 
       
      		 
      --error ER_TABLEACCESS_DENIED_ERROR
      		 
      select * from db.t1;
      		 
      --error ER_TABLEACCESS_DENIED_ERROR
      		 
      explain select * from db.t1;
      		 
      --error ER_TABLEACCESS_DENIED_ERROR
      		 
      analyze select * from db.t1;
      		 
       
      		 
      select * from db.v1;
      		 
      --error ER_VIEW_NO_EXPLAIN
      		 
      explain select * from db.v1;
      		 
      --error ER_VIEW_NO_EXPLAIN
      		 
      analyze select * from db.v1;
      		 
       
      		 
      --disconnect con1
      		 
      --connection default
      		 
       
      		 
      drop user u1@localhost;
      		 
      drop database db;

      The last statement should fail just like the previous one does, but it succeeds (and reveals the underlying t1 table in the output).

      Same for INSERT, UPDATE, DELETE.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-406 ANALYZE $stmt

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-6382 ANALYZE $stmt and security

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-6422 More testing for ANALYZE stmt and JSON

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            psergei Sergei Petrunia added a comment -

            review feedback provided over email

            psergei Sergei Petrunia added a comment - review feedback provided over email
            cvicentiu Vicențiu Ciorbaru added a comment -

            Added access checks to be performed for the analyze statement, similarly to how it was done for EXPLAIN and SHOW VIEW.

            Fixed with:
            0ed57e34c76ffa5e457e1abb402ada6352fb52b2

            cvicentiu Vicențiu Ciorbaru added a comment - Added access checks to be performed for the analyze statement, similarly to how it was done for EXPLAIN and SHOW VIEW. Fixed with: 0ed57e34c76ffa5e457e1abb402ada6352fb52b2

            People

              cvicentiu Vicențiu Ciorbaru
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.