Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

planner: privilege check for SELECT INTO OUTFILE #19553

Merged
merged 2 commits into from Aug 28, 2020
Merged

planner: privilege check for SELECT INTO OUTFILE #19553

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fedfae1
planner: privilege check for SELECT INTO OUTFILE
Aug 27, 2020
ba1bcbf
Merge branch 'master' into into-outfile-security
ti-srebot Aug 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion planner/core/errors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,6 @@ var (
ErrCartesianProductUnsupported = terror.ClassOptimizer.New(mysql.ErrCartesianProductUnsupported, mysql.MySQLErrName[mysql.ErrCartesianProductUnsupported])
ErrStmtNotFound = terror.ClassOptimizer.New(mysql.ErrPreparedStmtNotFound, mysql.MySQLErrName[mysql.ErrPreparedStmtNotFound])
ErrAmbiguous = terror.ClassOptimizer.New(mysql.ErrNonUniq, mysql.MySQLErrName[mysql.ErrNonUniq])
// Since we cannot know if user loggined with a password, use message of ErrAccessDeniedNoPassword instead
// Since we cannot know if user logged in with a password, use message of ErrAccessDeniedNoPassword instead
ErrAccessDenied = terror.ClassOptimizer.New(mysql.ErrAccessDenied, mysql.MySQLErrName[mysql.ErrAccessDeniedNoPassword])
)
1 change: 1 addition & 0 deletions planner/core/planbuilder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3176,6 +3176,7 @@ func (b *PlanBuilder) buildSelectInto(ctx context.Context, sel *ast.SelectStmt)
if err != nil {
return nil, err
}
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.FilePriv, "", "", "", ErrSpecificAccessDenied.GenWithStackByArgs("FILE"))
return &SelectInto{
TargetPlan: targetPlan,
IntoOpt: selectIntoInfo,
Expand Down
9 changes: 9 additions & 0 deletions privilege/privileges/privileges_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1007,6 +1007,15 @@ func (s *testPrivilegeSuite) TestLoadDataPrivilege(c *C) {
c.Assert(err, IsNil)
}

func (s *testPrivilegeSuite) TestSelectIntoNoPremissions(c *C) {
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'nofile'@'localhost';`)
c.Assert(se.Auth(&auth.UserIdentity{Username: "nofile", Hostname: "localhost"}, nil, nil), IsTrue)
_, err := se.Execute(context.Background(), `select 1 into outfile '/tmp/doesntmatter-no-permissions'`)
message := "Access denied; you need (at least one of) the FILE privilege(s) for this operation"
c.Assert(strings.Contains(err.Error(), message), IsTrue)
}

func (s *testPrivilegeSuite) TestGetEncodedPassword(c *C) {
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'test_encode_u'@'localhost' identified by 'root';`)
Expand Down