Bug #3924 Usage-only user can create a new database
Submitted: 28 May 2004 11:25 Modified: 29 May 2004 19:11
Reporter: [ name withheld ] Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.0.18-r2 OS:Linux (Gentoo Linux)
Assigned to: Sergei Golubchik CPU Architecture:Any

[28 May 2004 11:25] [ name withheld ]
Description:
User with usage-only privileges for database like "something_com" can create a new database in the form "something?com" and use it with the same privileges as if he was using "something_com".

How to repeat:
1. Create a database called something_com
2. Create user "someone"
3. Give to user "someone" only usage privileges to the database something_com
4. Connect to MySQL server using "someone" username and password
5. Create database called someting?com
6. You're done ...
[28 May 2004 13:20] Sergei Golubchik
it's fixed in 4.1 for a year already.
I'll backport the fix to 4.0...
[29 May 2004 16:32] Sergei Golubchik
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

fixed in 4.0.21
[29 May 2004 19:11] Sergei Golubchik
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.mysql.com/documentation/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

Additional info:

oops, sorry. I misread the bugreport.
There was indeed a similar bug that was fixed in 4.1 and I now backported the fix to 4.0
but it was about GRANT statement.

As for this particulat report - this is not a bug.
In GRANT ... TO "something_com" ..., underscore is a wildcard - see the manual.
You need to quote it to be treated as a regular underscore.