[#MDEV-25141] JSON_TABLE: SELECT into outfile bypasses file privilege check

[MDEV-25141] JSON_TABLE: SELECT into outfile bypasses file privilege check Created: 2021-03-15 Updated: 2021-04-21 Resolved: 2021-03-18
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System, JSON
Affects Version/s:	N/A
Fix Version/s:	10.6.0

Type:

Bug

Priority:

Blocker

Reporter:

Elena Stepanova

Assignee:

Alexey Botchkov

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Relates
relates to	~~MDEV-17399~~	Add support for JSON_TABLE	Closed

Description

SELECT from JSON_TABLE into an outfile doesn't check for FILE privilege.

bb-10.6-mdev17399-psergey2 8b533cc1d5
+-----------------------------------------+
\| Grants for foo@localhost \|
+-----------------------------------------+
\| GRANT USAGE ON . TO `foo`@`localhost` \|
+-----------------------------------------+
1 row in set (0.000 sec)

MariaDB [test]> select 1 into outfile 'f';
ERROR 1045 (28000): Access denied for user 'foo'@'localhost' (using password: NO)

MariaDB [test]> select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q;
Query OK, 1 row affected (0.001 sec)

MTR version
create user foo@localhost;
--connect (con1,localhost,foo,,)
--error ER_ACCESS_DENIED_ERROR,ER_SPECIFIC_ACCESS_DENIED_ERROR
select 1 into outfile 'f';
--error ER_ACCESS_DENIED_ERROR,ER_SPECIFIC_ACCESS_DENIED_ERROR
select * from json_table('[]', '$' columns(x for ordinality)) q into outfile 'f';

# Cleanup
--disconnect con1
--connection default
DROP USER foo@localhost;

Works as expected in MySQL (SELECT is prohibited).

Generated at Thu Feb 08 09:35:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.