Hi, Nikita,
ok to push under condition that you do the change as below, if it's
applicable.
On Jan 05, Nikita Malyavin wrote:
> revision-id: dc50afee924 (mariadb-11.3.1-13-gdc50afee924)
> parent(s): 080d8c3bd8f
> author: Nikita Malyavin
> committer: Nikita Malyavin
> timestamp: 2024-01-05 00:07:06 +0100
> message:
>
> MDEV-32501 KEY_PERIOD_USAGE reveals information to unprivileged user
>
> Restrict access to KEY_PERIOD_USAGE: show the constraint record iff any
> non-select privilege on any table column is granted.
>
> Also drop the unprivileged user in the end of test and add merge anchor.
>
> diff --git a/sql/sql_show.cc b/sql/sql_show.cc
> index 95a9d3647b0..e5516466e20 100644
> --- a/sql/sql_show.cc
> +++ b/sql/sql_show.cc
> @@ -7798,6 +7798,12 @@ int get_schema_key_period_usage_record(THD *thd,
> TABLE_LIST *tables,
> if (!period_name)
> return 0;
>
> +#ifndef NO_EMBEDDED_ACCESS_CHECKS
> + check_grant(thd, TABLE_ACLS, tables, 1, 1, 1);
> + if ((tables->grant.all_privilege() & ~SELECT_ACL & TABLE_ACLS) == NO_ACL)
> + return 0;
> +#endif
Compare with get_schema_key_column_usage_record() above your
get_schema_key_period_usage_record().
Perhaps you can also check `thd->col_access` and avoid check_grant()?
> bool err= false;
> for (uint k= 0; !err && k < keys_total; k++)
> {
>
Regards,
Sergei
Chief Architect, MariaDB Server
and secur...@mariadb.org
_______________________________________________
developers mailing list -- developers@lists.mariadb.org
To unsubscribe send an email to developers-le...@lists.mariadb.org
