Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2788

Masking filter performs case-sensitive checks against unquoted case-insensitive identifiers in function calls and WHERE clauses

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.4.4
    • Fix Version/s: 2.4.5, 2.3.16
    • Component/s: masking
    • Labels:
      None

      Description

      Let's say that a user has the following rule set:

          {
            "replace": {
              "column": "COLNAME"
            },
            "with": {
              "value": ".",
              "fill": "."
            }
          },
      

      Then the following queries are properly rejected:

      > select COLNAME, upper(COLNAME) from TABNAME limit 10;
      ERROR 1141 (HY000): The function upper is used in conjunction with a field that should be masked for 'user'@'::ffff:...', access is denied.
       
      > select COLNAME from TABNAME where COLNAME like '1%' limit 10;
      ERROR 1141 (HY000): The function upper is used in conjunction with a field that should be masked for 'user'@'::ffff:...', access is denied.
      

      However, if the same columns are referred to in lowercase (and unquoted), then the filter allows the queries:

      > select colname, upper(colname) from tabname limit 10;
       
      > select colname from tabname where colname like '1%' limit 10;
      

        Attachments

          Activity

            People

            Assignee:
            johan.wikman Johan Wikman
            Reporter:
            GeoffMontee Geoff Montee
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: