Bug #34520 | Late decoding of C-style escape sequences and privilege obfuscation | ||
---|---|---|---|
Submitted: | 13 Feb 2008 13:30 | Modified: | 18 Feb 2008 18:19 |
Reporter: | Gleb Shchepa | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 5.0+ | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[13 Feb 2008 13:30]
Gleb Shchepa
[13 Feb 2008 13:34]
Gleb Shchepa
test case (corrected)
Attachment: 34520.test (application/octet-stream, text), 809 bytes.
[13 Feb 2008 14:37]
Susanne Ebrecht
Escape sequences are not possible for identifiers. They are only possible for data strings. You can create identifiers with or without quotes (`My:Identifier` or using ANSI_QUOTS: "My:Identifier"). Without quotes, you are only allowed to use signs, that are possible and not reserved. You will get an Error, if you use something wrong here. With quotes means: let it as it is. When you use quotes, it means, you want to have signs like \, % or whatever at your identifier name.
[13 Feb 2008 14:51]
Susanne Ebrecht
15:43 < gleb> susanne: about #34520: this bug is not about escapes in identifiers, but it is about escapes in templates. 15:44 < susanne> ?? 15:44 < gleb> susanne: GRANT and REVOKE use same string format as LIKE sentence 15:44 < gleb> salle: escapes are allowed too 15:44 < gleb> oops 15:44 < gleb> susanne: escapes are allowed too Because of the database name example, I miss understood this. I could reproduce this by using 5.0 bk-tree. Verified as described.
[13 Feb 2008 22:35]
Peter Laursen
I also request aa clarification in the documentation on this "GRANT and REVOKE use same string format as LIKE sentence". I understand that servers up to 4.1 behave as Gleb expect?
[14 Feb 2008 8:54]
Gleb Shchepa
> I also request aa clarification in the documentation on > this "GRANT and REVOKE use same string format as LIKE sentence". Information is available at http://dev.mysql.com/doc/refman/5.0/en/request-access.html However, decoding of escape-sequences other than \_ and \% is an undocumented feature. Actually, the server doesn't decode them, it simply ignores backslashes before any character other than _ and %, so it "decodes" '\n' to 'n' etc - that is a bug: > CREATE DATABASE name; > CREATE TABLE name.t1 (a INT); > CREATE USER 'user'@'%'; # `\name` should be decoded as `name` ... > GRANT SELECT ON `\name`.* TO 'user'@'%'; # ... but it is not: > SHOW GRANTS FOR 'user'@'%'; Grants for user@% GRANT USAGE ON *.* TO 'user'@'%' GRANT SELECT ON `\name`.* TO 'user'@'%' # this should duplicate previous grant ... > GRANT SELECT ON name.* TO 'user'@'%'; # ... but it doesn't, there are 2 different privileges: > SHOW GRANTS FOR 'user'@'%'; Grants for user@% GRANT USAGE ON *.* TO 'user'@'%' GRANT SELECT ON `\name`.* TO 'user'@'%' GRANT SELECT ON `name`.* TO 'user'@'%' # this should revoke all grants on both `name` and `\name` if any > REVOKE ALL ON name.* FROM 'user'@'%'; # ... but it removes only grants on `name`: > SHOW GRANTS FOR 'user'@'%'; Grants for user@% GRANT USAGE ON *.* TO 'user'@'%' GRANT SELECT ON `\name`.* TO 'user'@'%' # connect with username "user" # here should be an access error: > SELECT * FROM name.t1; a
[14 Feb 2008 10:42]
Sergei Golubchik
Why it's a bug ? According to you, the manual doesn't say that GRANT should decode \xxx escapes besides \_ and \%, the server does not decode them. Where's the bug ?
[14 Feb 2008 11:19]
Gleb Shchepa
> Why it's a bug ? > According to you, the manual doesn't say that GRANT should > decode \xxx escapes besides \_ and \%, the server does not > decode them. Where's the bug ? The bug is here: after revoking all privileges on some database/table from some user, that user still be able to do everything with this database/table: under root: GRANT ALL ON `\name`.* TO 'user'@'%'; ... REVOKE ALL ON name.* FROM 'user'@'%'; under user@%: SELECT * FROM name.sometable; UPDATE name.othertable ...
[14 Feb 2008 12:22]
Peter Laursen
"However, decoding of escape-sequences other than \_ and \% is an undocumented feature." Undocumented features should not exist! They should either be documented or disabled! How can users know? I also thing the MySQL development team has grown to a size where developers can only consider what is documented. I request appropriate documentation for this LIKE-behaviour on this page: http://dev.mysql.com/doc/refman/5.0/en/grant.html
[14 Feb 2008 12:30]
Gleb Shchepa
> I request appropriate documentation for this LIKE-behaviour > on this page: http://dev.mysql.com/doc/refman/5.0/en/grant.html Looking at http://dev.mysql.com/doc/refman/5.0/en/grant.html: " Note The “_” and “%” wildcards are allowed when specifying database names in GRANT statements that grant privileges at the global or database levels. This means, for example, that if you want to use a “_” character as part of a database name, you should specify it as “\_” in the GRANT statement, to prevent the user from being able to access additional databases matching the wildcard pattern; for example, GRANT ... ON `foo\_bar`.* TO .... " About other escape sequences: unexpected (and undocumented) processing of such sequences is a subject of this bug #34520.
[24 Mar 2010 10:59]
Sveta Smirnova
See also bug #52326