[#MDEV-18440] Information_schema.check_constraints possible data leak

[MDEV-18440] Information_schema.check_constraints possible data leak Created: 2019-01-31 Updated: 2019-12-13 Resolved: 2019-12-13
Status:	Closed
Project:	MariaDB Server
Component/s:	Information Schema
Affects Version/s:	10.2, 10.3
Fix Version/s:	10.2.31, 10.3.22, 10.4.12

Type:

Bug

Priority:

Major

Reporter:

Vicențiu Ciorbaru

Assignee:

Anel Husakovic

Resolution:

Fixed

Votes:

Labels:

None

Description

information_schema.check_constraints can leak unwanted information via check constraints definitions. For example, a user can infer column names from a table:

create user foo;

create database db;

use db;

create table t1 (a int, b int, CONSTRAINT CHECK (b > 0));

insert into t1 values (1, 2), (2, 3);

grant select (a) on t1 to foo;

show grants for foo;

select * from information_schema.check_constraints;

CONNECT(con1,localhost, foo,, db);

select a from t1;

select * from information_schema.check_constraints;

--CONNECTION DEFAULT;

drop database db;

This will print, when logged in as user foo:

select * from information_schema.check_constraints;

CONSTRAINT_CATALOG	CONSTRAINT_SCHEMA	CONSTRAINT_NAME	TABLE_NAME	CHECK_CLAUSE

def	db	t1	CONSTRAINT_1	`b` > 0

So now, user foo knows table t1 has a `b` column.

Comments

Comment by Anel Husakovic [ 2019-12-13 ]

Pushed with 8129ff14407826 on 10.2 , 193b5ed50bc203a on 10.3

Generated at Thu Feb 08 08:44:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-18440] Information_schema.check_constraints possible data leak Created: 2019-01-31 Updated: 2019-12-13 Resolved: 2019-12-13