-
Jon Olav Hauglid authored
DATABASE SECURITY The problem was that CREATE PROCEDURE/FUCTION could be used to check the existence of databases for which the user had no privileges and therefore should not be allowed to see. The reason was that existence of a given database was checked before privileges. So trying to create a stored routine in a non-existent database would give a different error than trying to create a stored routine in a restricted database. This patch fixes the problem by changing the order of the checks for CREATE PROCEDURE/FUNCTION so that privileges are checked first. This means that trying to create a stored routine in a non-existent database and in a restricted database both will give ER_DBACCESS_DENIED_ERROR error. Test case added to grant.test.
Jon Olav Hauglid authoredDATABASE SECURITY The problem was that CREATE PROCEDURE/FUCTION could be used to check the existence of databases for which the user had no privileges and therefore should not be allowed to see. The reason was that existence of a given database was checked before privileges. So trying to create a stored routine in a non-existent database would give a different error than trying to create a stored routine in a restricted database. This patch fixes the problem by changing the order of the checks for CREATE PROCEDURE/FUNCTION so that privileges are checked first. This means that trying to create a stored routine in a non-existent database and in a restricted database both will give ER_DBACCESS_DENIED_ERROR error. Test case added to grant.test.
Loading