BUG#31553323: INFORMATION_SCHEMA.TABLES RETURNS INFORMATION ABOUT TABLES WITHOUT PERMISSIONS

karthik-kamath · karthik-kamath · commit 8ed647931353 · 2020-10-19T21:09:22.000+05:30
ANALYSIS:
=========
Issue here is, a user who doesn't have access to certain
tables is able to obtain information about those tables
through the Information_schema.

The issue occurred because of missing table level privilege
checks when accessing table information from Information
schema tables.

FIX:
====
Added a check to verify table level privileges for the user
when accessing table information from Information_Schema
tables.

Change-Id: Ied11c765f860bdf84082559ed972ec20d91b6433
diff --git a/mysql-test/r/grant4.result b/mysql-test/r/grant4.result
@@ -85,10 +85,10 @@ GRANT SHOW VIEW ON v2 to mysqltest_u1@localhost;
 GRANT SHOW VIEW, SELECT ON v3 to mysqltest_u1@localhost;
 use mysqltest_db1;
 ** Connect as restricted user mysqltest_u1.
-** SELECT FROM INFORMATION_SCHEMA.STATISTICS will succeed because any privileges will do (authentication is enough).
+# The user does not have table level grants on table t5. Hence cannot get
+# information about it from INFORMATION_SCHEMA.STATISTICS
 SELECT * FROM INFORMATION_SCHEMA.STATISTICS WHERE table_name='t5';
 TABLE_CATALOG	TABLE_SCHEMA	TABLE_NAME	NON_UNIQUE	INDEX_SCHEMA	INDEX_NAME	SEQ_IN_INDEX	COLUMN_NAME	COLLATION	CARDINALITY	SUB_PART	PACKED	NULLABLE	INDEX_TYPE	COMMENT	INDEX_COMMENT
-def	mysqltest_db1	t5	1	mysqltest_db1	i	1	s1	A	NULL	NULL	NULL	YES	BTREE		
 ** SHOW INDEX FROM t5 will fail because we don't have any privileges on any column combination.
 SHOW INDEX FROM t5;
 ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't5'
diff --git a/mysql-test/t/grant4.test b/mysql-test/t/grant4.test
@@ -103,10 +103,8 @@ GRANT SHOW VIEW, SELECT ON v3 to mysqltest_u1@localhost;
 connection con1;
 use mysqltest_db1;
 --echo ** Connect as restricted user mysqltest_u1.
---echo ** SELECT FROM INFORMATION_SCHEMA.STATISTICS will succeed because any privileges will do (authentication is enough).
-#
-# this result is wrong. reported as bug#34104
-#
+--echo # The user does not have table level grants on table t5. Hence cannot get
+--echo # information about it from INFORMATION_SCHEMA.STATISTICS
 SELECT * FROM INFORMATION_SCHEMA.STATISTICS WHERE table_name='t5';
 #
 # Bug27145 EXTRA_ACL trouble
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
@@ -3415,7 +3415,28 @@ make_table_name_list(THD *thd, List<LEX_STRING> *table_names, LEX *lex,
       }
     }
     else
-    {    
+    {
+#ifndef NO_EMBEDDED_ACCESS_CHECKS
+      if (!(thd->col_access & TABLE_ACLS))
+      {
+        TABLE_LIST table_list;
+        memset(&table_list, 0, sizeof(table_list));
+
+        /*
+          Database name and table name have already been converted to lowercase
+          if lower_case_table_names is > 0. We can safely use lookup_field_vals
+          here.
+        */
+        table_list.db= db_name->str;
+        table_list.db_length= db_name->length;
+        table_list.table_name_length= lookup_field_vals->table_value.length;
+        table_list.table_name= lookup_field_vals->table_value.str;
+        table_list.grant.privilege=thd->col_access;
+
+        if (check_grant(thd, TABLE_ACLS, &table_list, TRUE, 1, TRUE))
+          return 2;
+      }
+#endif
       if (table_names->push_back(&lookup_field_vals->table_value))
         return 1;
       /*
