[Firebird-devel] [FB-Tracker] Created: (CORE-5027) ES / EDS allows to change password (by extending it on right-side) when this is done starting from 2nd iteration of cursor loop

[Pavel Zotov (JIRA)]

ES / EDS allows to change password (by extending it on right-side) when this is 
done starting from 2nd iteration of cursor loop
-------------------------------------------------------------------------------------------------------------------------------

                 Key: CORE-5027
                 URL: http://tracker.firebirdsql.org/browse/CORE-5027
             Project: Firebird Core
          Issue Type: Bug
          Components: Engine, Security
    Affects Versions: 3.0 RC 1
            Reporter: Pavel Zotov


(I've decided to set issue type = 'bug', but it seems like 'oddity'.  It's a 
pity that currently no such item in this list :-))

Running this script on FB 3.0 with auth = Srp (or Legacy, no matter):
===
show version;

set list on;
select
mon$user
,mon$remote_protocol
,mon$remote_address
,mon$client_version
,mon$remote_version
,mon$auth_method
from mon$attachments where mon$attachment_id = current_connection;
commit;

recreate table t_source(id int, x int);
recreate table t_target(id int, x int);
commit;

insert into t_source values(1, 10);
insert into t_source values(2, 20);
insert into t_source values(3, 30);
insert into t_source values(4, 40);
commit;

set term ^;
execute block returns( iter int, password_on_iter varchar(80) )
as
    declare v_stt varchar(80);
    declare v_dbname varchar(255);
    declare v_who varchar(31) = 'SYSDBA';
    declare c_source cursor for (select id, x from t_source);
    declare v_id int;
    declare v_x int;
begin
    v_stt = 'insert into t_target( id, x ) values( ?, ?)';

    iter = 1;
    password_on_iter = 'masterke';
    
    open c_source;
    while (1=1) do
    begin
        fetch c_source into v_id, v_x;
        if ( row_count = 0 ) then leave;

        execute statement (v_stt) ( :v_id, :v_x )
        on external rdb$get_context('SYSTEM','DB_NAME')
        as user v_who
        password password_on_iter
        ;

        suspend;

        iter = iter + 1;
        --password_on_iter = 'x' || password_on_iter;
        password_on_iter = password_on_iter || left(uuid_to_char(gen_uuid()), 
5);


    end
    close c_source;
end
^
set term ;^
commit;

set list off;
set echo on;
select * from t_target;
===

I've got:
===
ISQL Version: WI-V3.0.0.32179 Firebird 3.0 Release Candidate 1
Server version:
Firebird/Windows/Intel/i386 (access method), version "WI-V3.0.0.32179 Firebird 
3.0 Release Candidate 1"
Firebird/Windows/Intel/i386 (remote server), version "WI-V3.0.0.32179 Firebird 
3.0 Release Candidate 1/tcp (csprog)/P13"
Firebird/Windows/Intel/i386 (remote interface), version "WI-V3.0.0.32179 
Firebird 3.0 Release Candidate 1/tcp (csprog)/P13"
on disk structure version 12.0

MON$ATTACHMENT_ID               265
MON$SERVER_PID                  1656
MON$STATE                       1
MON$ATTACHMENT_NAME             e30
MON$USER                        SYSDBA
MON$ROLE                        NONE
MON$REMOTE_PROTOCOL             TCPv4
MON$REMOTE_ADDRESS              192.168.43.154
MON$REMOTE_PID                  5408
MON$CHARACTER_SET_ID            0
MON$TIMESTAMP                   2015-11-22 00:22:30.2720
MON$GARBAGE_COLLECTION          1
MON$REMOTE_PROCESS              C:\MIX\Firebird\fb30\isql.exe
MON$STAT_ID                     8
MON$CLIENT_VERSION              WI-V3.0.0.32179 Firebird 3.0 Release Candidate 1
MON$REMOTE_VERSION              P13
MON$REMOTE_HOST                 csprog
MON$REMOTE_OS_USER              zotov
MON$AUTH_METHOD                 Srp
MON$SYSTEM_FLAG                 0

ITER                            1
PASSWORD_ON_ITER                masterke

ITER                            2
PASSWORD_ON_ITER                masterke07896

ITER                            3
PASSWORD_ON_ITER                masterke07896D46CA

ITER                            4
PASSWORD_ON_ITER                masterke07896D46CA6C52C



          ID            X
============ ============
           1           10
           2           20
           3           30
           4           40
===

So, starting from SECOND iteration of cursor loop which does ES/EDS one may 
to... increment string which stored PASSWORD! :-)
But such increment can be done only on right side, i.e. after last character of 
previous password value. 
With adding to left-side exception about 'invalid user/password' will raise (as 
expected). 

PS. 
Trace shows that event when engine does attach/detach to security3.fdb was only 
ONCE, at the beginning of script (i.e. before show version). Thus another 
question raises:  "who" checks authentification when we do ES/EDS *inside* 
cursor loop ? In other words: why one kind of password changing can be done OK 
and another ( password_on_iter = 'x' || password_on_iter;  ) - fails ?



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel