planner: privilege check for SELECT INTO OUTFILE (#19553)

Co-authored-by: ti-srebot <66930949+ti-srebot@users.noreply.github.com>
pingcap · Aug 28, 2020 · baf0991 · baf0991
1 parent b4f0854
commit baf0991
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/planner/core/errors.go b/planner/core/errors.go
@@ -80,6 +80,6 @@ var (
 	ErrCartesianProductUnsupported     = terror.ClassOptimizer.New(mysql.ErrCartesianProductUnsupported, mysql.MySQLErrName[mysql.ErrCartesianProductUnsupported])
 	ErrStmtNotFound                    = terror.ClassOptimizer.New(mysql.ErrPreparedStmtNotFound, mysql.MySQLErrName[mysql.ErrPreparedStmtNotFound])
 	ErrAmbiguous                       = terror.ClassOptimizer.New(mysql.ErrNonUniq, mysql.MySQLErrName[mysql.ErrNonUniq])
-	// Since we cannot know if user loggined with a password, use message of ErrAccessDeniedNoPassword instead
+	// Since we cannot know if user logged in with a password, use message of ErrAccessDeniedNoPassword instead
 	ErrAccessDenied = terror.ClassOptimizer.New(mysql.ErrAccessDenied, mysql.MySQLErrName[mysql.ErrAccessDeniedNoPassword])
 )
diff --git a/planner/core/planbuilder.go b/planner/core/planbuilder.go
@@ -3176,6 +3176,7 @@ func (b *PlanBuilder) buildSelectInto(ctx context.Context, sel *ast.SelectStmt)
 	if err != nil {
 		return nil, err
 	}
+	b.visitInfo = appendVisitInfo(b.visitInfo, mysql.FilePriv, "", "", "", ErrSpecificAccessDenied.GenWithStackByArgs("FILE"))
 	return &SelectInto{
 		TargetPlan: targetPlan,
 		IntoOpt:    selectIntoInfo,

diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go
@@ -1007,6 +1007,15 @@ func (s *testPrivilegeSuite) TestLoadDataPrivilege(c *C) {
 	c.Assert(err, IsNil)
 }
 
+func (s *testPrivilegeSuite) TestSelectIntoNoPremissions(c *C) {
+	se := newSession(c, s.store, s.dbName)
+	mustExec(c, se, `CREATE USER 'nofile'@'localhost';`)
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "nofile", Hostname: "localhost"}, nil, nil), IsTrue)
+	_, err := se.Execute(context.Background(), `select 1 into outfile '/tmp/doesntmatter-no-permissions'`)
+	message := "Access denied; you need (at least one of) the FILE privilege(s) for this operation"
+	c.Assert(strings.Contains(err.Error(), message), IsTrue)
+}
+
 func (s *testPrivilegeSuite) TestGetEncodedPassword(c *C) {
 	se := newSession(c, s.store, s.dbName)
 	mustExec(c, se, `CREATE USER 'test_encode_u'@'localhost' identified by 'root';`)