MySQL Bugs: #35996: SELECT + SHOW VIEW should be enough to display view definition

Bug #35996	SELECT + SHOW VIEW should be enough to display view definition
Submitted:	11 Apr 2008 13:41	Modified:	18 Dec 2009 20:33
Reporter:	Martin Hansson	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Security: Privileges	Severity:	S3 (Non-critical)
Version:	5.0, 5.1, 6.0	OS:	Any
Assigned to:	Martin Hansson	CPU Architecture:	Any
Tags:	grant, show create view, temptable, Views

Description:
When referring to a view using the TEMPTABLE algorithm, the internal view object get smashed with the temporary table, i.e. all relevant fields are replaced with those of the temporary table. There appears to be a bug in this procedure which enables users to do SHOW CREATE VIEW on ALGORITHM = TEMPTABLE views defined in terms of tables. 

How to repeat:
See attached test case.

Suggested fix:
This fix will be fixed (has to be fixed) along with Bug#35600.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80667

2936 Martin Hansson	2009-08-12
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      There were no errors displayed when issuing a SHOW CREATE VIEW for views that
      reference base tables for which the user did not have sufficient privileges to
      see the table structure. If the view referenced a view with the same lack of
      privileges, however, an error was raised correctly. 
      
      This came about because the 'access denied' error message was first issued
      during normal access checking for the referenced base table, then converted
      into a generic 'view invalid' message for the referencing view in order to
      hide details of the table structure which were otherwise visible in the error
      message.
      
      Later still, all 'view invalid' errors were cleared and a warning issued
      instead, the rationale being that we should not get errors simply because a
      view referenced a nonexisting object. At this point all information about the
      initial causes of the error condition were lost. 
      
      Fixed by implementing a specialized subclass of Internal_error_handler and
      removing error handling that manipulates error messages.
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed result.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case.
     @ mysql-test/t/view_grant.test
        Bug#35996: Changed test case, test case for bug.
     @ sql/sql_base.cc
        Bug#35996: Partial removal of old style of error handling.
     @ sql/sql_show.cc
        Bug#35996: Implementation of the new Internal_error_handler subclass.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80677

2936 Martin Hansson	2009-08-12
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      There were no errors displayed when issuing a SHOW CREATE VIEW for views that
      reference base tables for which the user did not have sufficient privileges to
      see the table structure. If the view referenced a view with the same lack of
      privileges, however, an error was raised correctly. 
      
      This came about because the 'access denied' error message was first issued
      during normal access checking for the referenced base table, then converted
      into a generic 'view invalid' message for the referencing view in order to
      hide details of the table structure which were otherwise visible in the error
      message.
      
      Later still, all 'view invalid' errors were cleared and a warning issued
      instead, the rationale being that we should not get errors simply because a
      view referenced a nonexisting object. At this point all information about the
      initial causes of the error condition were lost. 
      
      Fixed by implementing a specialized subclass of Internal_error_handler and
      removing error handling that manipulates error messages.
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed result.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case.
     @ mysql-test/t/view_grant.test
        Bug#35996: Changed test case, test case for bug.
     @ sql/sql_base.cc
        Bug#35996: Partial removal of old style of error handling.
     @ sql/sql_show.cc
        Bug#35996: Implementation of the new Internal_error_handler subclass.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/81258

2936 Martin Hansson	2009-08-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      There were no errors displayed when issuing a SHOW CREATE VIEW for views that
      reference base tables for which the user did not have sufficient privileges to
      see the table structure. If the view referenced a view with the same lack of
      privileges, however, an error was raised correctly. 
      
      This came about because the 'access denied' error message was first issued
      during normal access checking for the referenced base table, then converted
      into a generic 'view invalid' message for the referencing view in order to
      hide details of the table structure which were otherwise visible in the error
      message.
      
      Later still, all 'view invalid' errors were cleared and a warning issued
      instead, the rationale being that we should not get errors simply because a
      view referenced a nonexisting object. At this point all information about the
      initial causes of the error condition were lost. 
      
      Fixed by implementing a specialized subclass of Internal_error_handler and
      removing error handling that manipulates error messages.
     @ mysql-test/r/view_grant.result
        Bug#35996: Test result.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_base.cc
        Bug#35996: Partial removal of old style of error handling.
     @ sql/sql_show.cc
        Bug#35996: Implementation of the new Internal_error_handler subclass.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

http://lists.mysql.com/commits/81772

2936 Martin Hansson 2009-08-27
Bug#35996: Security Breach In Smashed TEMPTABLE Views

There were no errors displayed when issuing a SHOW CREATE VIEW for views that
reference base tables for which the user did not have sufficient privileges to
see the table structure. If the view referenced a view with the same lack of
privileges, however, an error was raised correctly.

This came about because the 'access denied' error message was first issued
during normal access checking for the referenced base table, then converted
into a generic 'view invalid' message for the referencing view in order to
hide details of the table structure which were otherwise visible in the error
message.

Later still, all 'view invalid' errors were cleared and a warning issued
instead, the rationale being that we should not get errors simply because a
view referenced a nonexisting object. At this point all information about the
initial causes of the error condition were lost.

Fixed by implementing a specialized subclass of Internal_error_handler and
removing error handling that manipulates error messages.
@ mysql-test/r/information_schema_db.result
Bug#35996: Changed result.
@ mysql-test/r/view_grant.result
Bug#35996: Test result.
@ mysql-test/t/information_schema_db.test
Bug#35996: Changed test. In this case the user has only INSERT privilege on the view's underlying view, where SELECT is required to see view definition.
@ mysql-test/t/view_grant.test
Bug#35996: Test case.
@ sql/sql_base.cc
Bug#35996: Partial removal of old style of error handling.
@ sql/sql_show.cc
Bug#35996: Implementation of the new Internal_error_handler subclass.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83051

3120 Martin Hansson	2009-09-11
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      When looking in the code for SHOW CREATE VIEW, it would seem as if 
      there is a need to hide errors that name object that a user does 
      not have access to. But there are no justifications for this and it
      is inconsistently implemented. For example base tables being referenced
      from a view appear to be ok, but not views. The manual on the other 
      hand is clear: If a user has the privileges SELECT and SHOW VIEW, 
      the view definition is available to that user, period. 
      The fix changes the behavior to support the manual in this respect.
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed warnings.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed warnings. Test result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case to reflect new behavior.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_acl.cc
        Bug#35996: Code no longer necessary, we may as well exempt 
        SHOW CREATE VIEW from this check.
     @ sql/sql_show.cc
        Bug#35996: The fix: An Internal_error_handler that hides most errors 
        raised by access checking as they are not relevant to SHOW CREATE VIEW.
     @ sql/table.cc
        Bug#35996: Restricting this hack to act only when there is 
        no Internal_error_handler.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83905

3121 Martin Hansson	2009-09-21
      (no message)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83907

3120 Martin Hansson	2009-09-21
      (no message)
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83908

3121 Martin Hansson	2009-09-21
      test

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83909

3120 Martin Hansson	2009-09-21
      test
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83917

3120 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
            
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors
      that name objects that a user does not have access to. Moreover it 
      was inconsistently implemented. For example base tables being 
      referenced from a view appear to be ok, but not views. The manual 
      on the other hand is clear: If a user has the privileges SELECT 
      and SHOW VIEW, the view definition is available to that user, 
      period. 
      The fix changes the behavior to support the manual.
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83921

3120 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83922

3121 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83935

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83936

3116 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83938

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views 
      
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83939

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83943

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name
      objects that a user does not have access to. Moreover it was inconsistently
      implemented. For example base tables being referenced from a view appear to be
      ok, but not views. The manual on the other hand is clear: If a user has the
      privileges SELECT and SHOW VIEW, the view definition is available to that
      user, period. The fix changes the behavior to support the manual. 
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed warnings.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed warnings, test result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case to reflect new behavior.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_acl.cc
        Bug#35996: Code no longer necessary, we may as well exempt
     @ sql/sql_show.cc
        Bug#35996: The fix: An Internal_error_handler that hides most errors 
        raised by access checking as they are not relevant to SHOW CREATE VIEW.
     @ sql/table.cc
        Bug#35996: Restricting this hack to act only when there is 
        no Internal_error_handler.

A sentence was missing in the above patch. Updated patch below.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

http://lists.mysql.com/commits/83986

3118 Martin Hansson 2009-09-21
Bug#35996: Security Breach In Smashed TEMPTABLE Views

During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name
objects that a user does not have access to. Moreover it was inconsistently
implemented. For example base tables being referenced from a view appear to be
ok, but not views. The manual on the other hand is clear: If a user has the
privileges SELECT and SHOW VIEW, the view definition is available to that
user, period. The fix changes the behavior to support the manual.
@ mysql-test/r/information_schema_db.result
Bug#35996: Changed warnings.
@ mysql-test/r/view_grant.result
Bug#35996: Changed warnings, test result.
@ mysql-test/t/information_schema_db.test
Bug#35996: Changed test case to reflect new behavior.
@ mysql-test/t/view_grant.test
Bug#35996: Test case.
@ sql/sql_acl.cc
Bug#35996: Code no longer necessary, we may as well exempt
SHOW CREATE VIEW from this check.
@ sql/sql_show.cc
Bug#35996: The fix: An Internal_error_handler that hides most errors raised by access checking as they are not relevant to
SHOW CREATE VIEW.
@ sql/table.cc
Bug#35996: Restricting this hack to act only when there is
no Internal_error_handler.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/84981

3624 Martin Hansson	2009-09-29 [merge]
      Merge of Bug#35996: Internal_error_handler::handle_error 
      is called Internal_error_handler::handle_condition in 6.0
      and takes some extra arguments.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/84999

3625 Martin Hansson	2009-09-29 [merge]
      Merge of Bug#35996

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/85050

3140 Martin Hansson	2009-09-29 [merge]
      Merge of Bug#35996.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/85136

3141 Martin Hansson	2009-09-30 [merge]
      Merge of Bug#35996

Pushed into 5.1.40 (revid:joro@sun.com-20091006073316-lea2cpijh9r6on7c) (version source revid:ingo.struewing@sun.com-20091002112748-2xmjv846dk323nc3) (merge vers: 5.1.40) (pib:11)

Noted in 5.1.40 changelog.

Privileges for SHOW CREATE VIEW were not being checked correctly.

Setting report to NDI pending push into 5.4.x.

Pushed into 6.0.14-alpha (revid:alik@sun.com-20091022063126-l0qzirh9xyhp0bpc) (version source revid:alik@sun.com-20091019135554-s1pvptt6i750lfhv) (merge vers: 6.0.14-alpha) (pib:13)

Pushed into 5.5.0-beta (revid:alik@sun.com-20091022060553-znkmxm0g0gm6ckvw) (version source revid:alik@sun.com-20091013094238-g67x6tgdm9a7uik0) (merge vers: 5.5.0-beta) (pib:13)

Noted in 5.5.0, 6.0.14 changelogs.

Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)

Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)

Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)

Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)