Bug #46960 Users can obtain unauthorized information about objects through SHOW CREATE VIEW
Submitted: 27 Aug 2009 17:17 Modified: 22 Sep 2009 12:57
Reporter: Martin Hansson Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.1 OS:Any
Assigned to: Martin Hansson CPU Architecture:Any

[27 Aug 2009 17:17] Martin Hansson 
Description:
This is a continuation of Bug#35996, making the check even stricter. When a table or column is referenced by a view, the error message is different depending on whether the table/column does not exist, even though the user does not have sufficient privileges to know whether it exists or not.

How to repeat:
See attached test case.

Suggested fix:
According to discussion between gluh and serg (this is second hand information), you can call open_tables for tables that don't exist, given that you supply the right flags. This would start the access check so that a user will getting a missing privilege error rather than a missing table error.
[27 Aug 2009 17:35] Martin Hansson 
How to repeat

Attachment: newbug_htr.test (application/octet-stream, text), 1.29 KiB.
[28 Aug 2009 12:09] MySQL Verification Team 
Thank you for the bug report.
[22 Sep 2009 12:57] Martin Hansson 
The matter has been discussed thoroughly and the approach for Bug#35996 is a completely different one, making this bug report obsolete.