[MDEV-22374] VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE Created: 2020-04-27  Updated: 2023-04-27

Status: Stalled
Project: MariaDB Server
Component/s: Views
Affects Version/s: 5.5, 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Critical
Reporter: Oleksandr Byelkin Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-28179 OUTFILE from mysql.user lead to an ER... Closed
Relates
relates to MDEV-22378 load_data() always takes invoker FILE... Open

 Description    

 
 
create user test@localhost;
 
grant select on test.* to test@localhost;
 
 
 
create table t1 (a int);
 
create definer=test@localhost sql security definer view v1 as select * from t1;
 
 
 
--echo # check that ot works without view
 
--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from t1;
 
--echo # check that ot works without file
 
select * from v1;
 
 
 
--echo # rights for file should be taken from current user not view
 
--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select count(*) from v1) as dv1;
 
--echo # rights for file should be taken from current user not view
 
--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from (select * from v1) as dv1;
 
--eval select * INTO OUTFILE '$MYSQL_TMP_DIR/test_out_txt' from v1;
 
 
 
--remove_file $MYSQL_TMP_DIR/test_out_txt
 
drop view v1;
 
drop table t1;
 
drop user test@localhost;



 Comments   
Comment by Oleksandr Byelkin [ 2020-04-28 ]

commit d08860b28f3645bb59275941e56d63bef7ea3e05 (HEAD > bb-5.5MDEV-22374, origin/bb-5.5-MDEV-22374)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Tue Apr 28 09:16:33 2020 +0200

MDEV-22374: VIEW with security definer require FILE privilege from definer not invoker in case of INTO OUTFILE

Check INTO OUTFILE clause always from invoker.

Generated at Thu Feb 08 09:14:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.