Bug #34104 | SELECT FROM I_S.STATISTICS have different privilege requirements than SHOW INDEX | ||
---|---|---|---|
Submitted: | 28 Jan 2008 13:09 | Modified: | 4 Feb 2008 11:09 |
Reporter: | Kristofer Pettersson | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 5.1 | OS: | Any |
Assigned to: | Assigned Account | CPU Architecture: | Any |
[28 Jan 2008 13:09]
Kristofer Pettersson
[4 Feb 2008 11:09]
MySQL Verification Team
Thank you for the bug report.
[13 May 2016 11:47]
Gopal Shankar
More information about the issue: make_table_name_list() handles 'WHERE TABLE_NAME =' clause bit differently. And the problem is that this part of code does not care for access check. If we run a I_S query without WHERE clause containing TABLE_NAME field, then we see that table 't5' is not shown and skipped by proper access check. E.g., So the following shows the table 't5', without doing access check. => SELECT * FROM INFORMATION_SCHEMA.STATISTICS WHERE table_name='t5'; And the following does not show table 't5', as it does proper access check, => SELECT * FROM INFORMATION_SCHEMA.STATISTICS; This can be fixed in 5.7 and earlier versions. In 5.8, this issue would get fixed by WL#6599.