Re: [Maria-developers] c48b190824a: Fixed error messages from DROP VIEW to align with DROP TABLE
Hi! On Sat, Jun 13, 2020 at 5:37 PM Sergei Golubchik wrote: > > DROP VIEW IF EXISTS t1; > > Warnings: > > +Warning 1347'test.t1' is not of type 'VIEW' > > please, add a test for the case when a user has no privileges on > test.t1, the object existence is not leaked out (if one has no > privileges to know whether t1 exists or whether t1 is a view or a table, > the error message should not divulge it). > > (the same for tables and for sequences in your next commit) I was about to create a test do that, but then I started to think that we only have a drop privilege that works for 'anything with this name This means that if one is allowed to drop a view named 't1', one is also allowed to drop a table named t1. This also means that I don't know what to add to the test. The privileges are checked first and if one tries to drop an object that one is not allowed to access, one will get an error before DROP VIEW code is executed. When in DROP, either DROP SEQUENCES, DROP VIEW or DROP TABLE no privilege checking is made. This means that a user can always find out if there is an object of a certain type by executing one of the above drops. In other mens, there is nothing to hide in DROP VIEW that the user can't find out anyway. Regards, Monty ___ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
Re: [Maria-developers] c48b190824a: Fixed error messages from DROP VIEW to align with DROP TABLE
Hi, Michael! On Jun 13, Michael Widenius wrote: > revision-id: c48b190824a (mariadb-10.5.2-405-gc48b190824a) > parent(s): 50bad912977 > author: Michael Widenius > committer: Michael Widenius > timestamp: 2020-06-12 12:04:05 +0300 > message: > > Fixed error messages from DROP VIEW to align with DROP TABLE > > - Produce a "Note" for all wrongly dropped objects > (Like doing DROP VIEW on a table). > - IF EXISTS ends with a list of all not existing objects, instead of a > separate note for every not existing object. > > Other things: > - Fixed bug where one could do CREATE TEMPORARY SEQUENCE multiple times >and create multiple temporary sequences with the same name. > > diff --git a/mysql-test/main/create_drop_view.result > b/mysql-test/main/create_drop_view.result > index 92fbf5ac9e5..7cfa818ccbf 100644 > --- a/mysql-test/main/create_drop_view.result > +++ b/mysql-test/main/create_drop_view.result > @@ -61,5 +61,6 @@ Warnings: > Note 4092Unknown VIEW: 'test.v1' > DROP VIEW IF EXISTS t1; > Warnings: > +Warning 1347'test.t1' is not of type 'VIEW' please, add a test for the case when a user has no privileges on test.t1, the object existence is not leaked out (if one has no privileges to know whether t1 exists or whether t1 is a view or a table, the error message should not divulge it). (the same for tables and for sequences in your next commit) > Note 4092Unknown VIEW: 'test.t1' > DROP TABLE t1; Regards, Sergei VP of MariaDB Server Engineering and secur...@mariadb.org ___ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
