The bug was updated successfully. The following people were notified: the MySQL developers, the bug reporter, the assigned developer, the assigned reviewer, the assigned lead, interested observers, and nobody else.
Bug #35996 SELECT + SHOW VIEW should be enough to display view definition
Submitted: 11 Apr 2008 13:41 Modified: 18 Dec 2009 20:33
Reporter: Martin Hansson Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.0, 5.1, 6.0 OS:Any
Assigned to: Martin Hansson
Tags: grant, show create view, temptable, Views
Triage: Triaged: D2 (Serious)

[11 Apr 2008 13:41] Martin Hansson
Description:
When referring to a view using the TEMPTABLE algorithm, the internal view object get smashed with the temporary table, i.e. all relevant fields are replaced with those of the temporary table. There appears to be a bug in this procedure which enables users to do SHOW CREATE VIEW on ALGORITHM = TEMPTABLE views defined in terms of tables. 

How to repeat:
See attached test case.

Suggested fix:
This fix will be fixed (has to be fixed) along with Bug#35600.
[12 Aug 2009 12:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80667

2936 Martin Hansson	2009-08-12
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      There were no errors displayed when issuing a SHOW CREATE VIEW for views that
      reference base tables for which the user did not have sufficient privileges to
      see the table structure. If the view referenced a view with the same lack of
      privileges, however, an error was raised correctly. 
      
      This came about because the 'access denied' error message was first issued
      during normal access checking for the referenced base table, then converted
      into a generic 'view invalid' message for the referencing view in order to
      hide details of the table structure which were otherwise visible in the error
      message.
      
      Later still, all 'view invalid' errors were cleared and a warning issued
      instead, the rationale being that we should not get errors simply because a
      view referenced a nonexisting object. At this point all information about the
      initial causes of the error condition were lost. 
      
      Fixed by implementing a specialized subclass of Internal_error_handler and
      removing error handling that manipulates error messages.
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed result.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case.
     @ mysql-test/t/view_grant.test
        Bug#35996: Changed test case, test case for bug.
     @ sql/sql_base.cc
        Bug#35996: Partial removal of old style of error handling.
     @ sql/sql_show.cc
        Bug#35996: Implementation of the new Internal_error_handler subclass.
[12 Aug 2009 14:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80677

2936 Martin Hansson	2009-08-12
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      There were no errors displayed when issuing a SHOW CREATE VIEW for views that
      reference base tables for which the user did not have sufficient privileges to
      see the table structure. If the view referenced a view with the same lack of
      privileges, however, an error was raised correctly. 
      
      This came about because the 'access denied' error message was first issued
      during normal access checking for the referenced base table, then converted
      into a generic 'view invalid' message for the referencing view in order to
      hide details of the table structure which were otherwise visible in the error
      message.
      
      Later still, all 'view invalid' errors were cleared and a warning issued
      instead, the rationale being that we should not get errors simply because a
      view referenced a nonexisting object. At this point all information about the
      initial causes of the error condition were lost. 
      
      Fixed by implementing a specialized subclass of Internal_error_handler and
      removing error handling that manipulates error messages.
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed result.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case.
     @ mysql-test/t/view_grant.test
        Bug#35996: Changed test case, test case for bug.
     @ sql/sql_base.cc
        Bug#35996: Partial removal of old style of error handling.
     @ sql/sql_show.cc
        Bug#35996: Implementation of the new Internal_error_handler subclass.
[21 Aug 2009 9:59] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/81258

2936 Martin Hansson	2009-08-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      There were no errors displayed when issuing a SHOW CREATE VIEW for views that
      reference base tables for which the user did not have sufficient privileges to
      see the table structure. If the view referenced a view with the same lack of
      privileges, however, an error was raised correctly. 
      
      This came about because the 'access denied' error message was first issued
      during normal access checking for the referenced base table, then converted
      into a generic 'view invalid' message for the referencing view in order to
      hide details of the table structure which were otherwise visible in the error
      message.
      
      Later still, all 'view invalid' errors were cleared and a warning issued
      instead, the rationale being that we should not get errors simply because a
      view referenced a nonexisting object. At this point all information about the
      initial causes of the error condition were lost. 
      
      Fixed by implementing a specialized subclass of Internal_error_handler and
      removing error handling that manipulates error messages.
     @ mysql-test/r/view_grant.result
        Bug#35996: Test result.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_base.cc
        Bug#35996: Partial removal of old style of error handling.
     @ sql/sql_show.cc
        Bug#35996: Implementation of the new Internal_error_handler subclass.
[27 Aug 2009 17:36] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/81772

2936 Martin Hansson	2009-08-27
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      There were no errors displayed when issuing a SHOW CREATE VIEW for views that
      reference base tables for which the user did not have sufficient privileges to
      see the table structure. If the view referenced a view with the same lack of
      privileges, however, an error was raised correctly. 
      
      This came about because the 'access denied' error message was first issued
      during normal access checking for the referenced base table, then converted
      into a generic 'view invalid' message for the referencing view in order to
      hide details of the table structure which were otherwise visible in the error
      message.
      
      Later still, all 'view invalid' errors were cleared and a warning issued
      instead, the rationale being that we should not get errors simply because a
      view referenced a nonexisting object. At this point all information about the
      initial causes of the error condition were lost. 
      
      Fixed by implementing a specialized subclass of Internal_error_handler and
      removing error handling that manipulates error messages.
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed result.
     @ mysql-test/r/view_grant.result
        Bug#35996: Test result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test. In this case the user has only INSERT privilege on the view's underlying view, where SELECT is required to see view definition.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_base.cc
        Bug#35996: Partial removal of old style of error handling.
     @ sql/sql_show.cc
        Bug#35996: Implementation of the new Internal_error_handler subclass.
[11 Sep 2009 12:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83051

3120 Martin Hansson	2009-09-11
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      When looking in the code for SHOW CREATE VIEW, it would seem as if 
      there is a need to hide errors that name object that a user does 
      not have access to. But there are no justifications for this and it
      is inconsistently implemented. For example base tables being referenced
      from a view appear to be ok, but not views. The manual on the other 
      hand is clear: If a user has the privileges SELECT and SHOW VIEW, 
      the view definition is available to that user, period. 
      The fix changes the behavior to support the manual in this respect.
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed warnings.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed warnings. Test result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case to reflect new behavior.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_acl.cc
        Bug#35996: Code no longer necessary, we may as well exempt 
        SHOW CREATE VIEW from this check.
     @ sql/sql_show.cc
        Bug#35996: The fix: An Internal_error_handler that hides most errors 
        raised by access checking as they are not relevant to SHOW CREATE VIEW.
     @ sql/table.cc
        Bug#35996: Restricting this hack to act only when there is 
        no Internal_error_handler.
[21 Sep 2009 11:45] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83905

3121 Martin Hansson	2009-09-21
      (no message)
[21 Sep 2009 11:50] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83907

3120 Martin Hansson	2009-09-21
      (no message)
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc
[21 Sep 2009 11:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83908

3121 Martin Hansson	2009-09-21
      test
[21 Sep 2009 11:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83909

3120 Martin Hansson	2009-09-21
      test
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc
[21 Sep 2009 12:22] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83917

3120 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
            
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors
      that name objects that a user does not have access to. Moreover it 
      was inconsistently implemented. For example base tables being 
      referenced from a view appear to be ok, but not views. The manual 
      on the other hand is clear: If a user has the privileges SELECT 
      and SHOW VIEW, the view definition is available to that user, 
      period. 
      The fix changes the behavior to support the manual.
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc
[21 Sep 2009 12:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83921

3120 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.
      modified:
        mysql-test/r/information_schema_db.result
        mysql-test/r/view_grant.result
        mysql-test/t/information_schema_db.test
        mysql-test/t/view_grant.test
        sql/sql_acl.cc
        sql/sql_show.cc
        sql/table.cc
[21 Sep 2009 12:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83922

3121 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.
[21 Sep 2009 13:10] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83935

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.
[21 Sep 2009 13:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83936

3116 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.
[21 Sep 2009 13:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83938

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views 
      
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name objects that a user does not have access to. Moreover it was inconsistently implemented. For example base tables being referenced from a view appear to be ok, but not views. The manual on the other hand is clear: If a user has the privileges SELECT and SHOW VIEW, the view definition is available to that user, period. The fix changes the behavior to support the manual.
[21 Sep 2009 13:23] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83939

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
[21 Sep 2009 13:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83943

3115 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name
      objects that a user does not have access to. Moreover it was inconsistently
      implemented. For example base tables being referenced from a view appear to be
      ok, but not views. The manual on the other hand is clear: If a user has the
      privileges SELECT and SHOW VIEW, the view definition is available to that
      user, period. The fix changes the behavior to support the manual. 
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed warnings.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed warnings, test result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case to reflect new behavior.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_acl.cc
        Bug#35996: Code no longer necessary, we may as well exempt
     @ sql/sql_show.cc
        Bug#35996: The fix: An Internal_error_handler that hides most errors 
        raised by access checking as they are not relevant to SHOW CREATE VIEW.
     @ sql/table.cc
        Bug#35996: Restricting this hack to act only when there is 
        no Internal_error_handler.
[21 Sep 2009 16:54] Martin Hansson
A sentence was missing in the above patch. Updated patch below.
[21 Sep 2009 16:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/83986

3118 Martin Hansson	2009-09-21
      Bug#35996: Security Breach In Smashed TEMPTABLE Views
      
      During SHOW CREATE VIEW there is no reason to 'anonymize' errors that name
      objects that a user does not have access to. Moreover it was inconsistently
      implemented. For example base tables being referenced from a view appear to be
      ok, but not views. The manual on the other hand is clear: If a user has the
      privileges SELECT and SHOW VIEW, the view definition is available to that
      user, period. The fix changes the behavior to support the manual. 
     @ mysql-test/r/information_schema_db.result
        Bug#35996: Changed warnings.
     @ mysql-test/r/view_grant.result
        Bug#35996: Changed warnings, test result.
     @ mysql-test/t/information_schema_db.test
        Bug#35996: Changed test case to reflect new behavior.
     @ mysql-test/t/view_grant.test
        Bug#35996: Test case.
     @ sql/sql_acl.cc
        Bug#35996: Code no longer necessary, we may as well exempt 
        SHOW CREATE VIEW from this check.
     @ sql/sql_show.cc
        Bug#35996: The fix: An Internal_error_handler that hides most errors raised by access checking as they are not relevant to 
        SHOW CREATE VIEW.
     @ sql/table.cc
        Bug#35996: Restricting this hack to act only when there is 
        no Internal_error_handler.
[29 Sep 2009 11:50] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/84981

3624 Martin Hansson	2009-09-29 [merge]
      Merge of Bug#35996: Internal_error_handler::handle_error 
      is called Internal_error_handler::handle_condition in 6.0
      and takes some extra arguments.
[29 Sep 2009 13:23] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/84999

3625 Martin Hansson	2009-09-29 [merge]
      Merge of Bug#35996
[29 Sep 2009 14:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/85050

3140 Martin Hansson	2009-09-29 [merge]
      Merge of Bug#35996.
[30 Sep 2009 7:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/85136

3141 Martin Hansson	2009-09-30 [merge]
      Merge of Bug#35996
[6 Oct 2009 8:59] Bugs System
Pushed into 5.1.40 (revid:joro@sun.com-20091006073316-lea2cpijh9r6on7c) (version source revid:ingo.struewing@sun.com-20091002112748-2xmjv846dk323nc3) (merge vers: 5.1.40) (pib:11)
[8 Oct 2009 0:11] Paul Dubois
Noted in 5.1.40 changelog.

Privileges for SHOW CREATE VIEW were not being checked correctly.

Setting report to NDI pending push into 5.4.x.
[22 Oct 2009 6:34] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091022063126-l0qzirh9xyhp0bpc) (version source revid:alik@sun.com-20091019135554-s1pvptt6i750lfhv) (merge vers: 6.0.14-alpha) (pib:13)
[22 Oct 2009 7:06] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091022060553-znkmxm0g0gm6ckvw) (version source revid:alik@sun.com-20091013094238-g67x6tgdm9a7uik0) (merge vers: 5.5.0-beta) (pib:13)
[22 Oct 2009 19:32] Paul Dubois
Noted in 5.5.0, 6.0.14 changelogs.
[18 Dec 2009 10:30] Bugs System
Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)
[18 Dec 2009 10:46] Bugs System
Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)
[18 Dec 2009 11:01] Bugs System
Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)
[18 Dec 2009 11:15] Bugs System
Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)