Bug #36963 Views using MERGE algorithm give unauthorized column privileges.
Submitted: 26 May 2008 13:03 Modified: 30 May 2008 12:28
Reporter: Martin Hansson Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.1, 6.0 OS:Any
Assigned to: Assigned Account CPU Architecture:Any
Tags: merge, privilege, VIEW

[26 May 2008 13:03] Martin Hansson 
Description:
Views with ALGORITHM = MERGE wrongfully let you run queries to the underlying table(s) even though you do not have access.

How to repeat:
See attached test case.
[26 May 2008 13:04] Martin Hansson 
Test case

Attachment: newbug.test (application/octet-stream, text), 719 bytes.
[26 May 2008 22:31] MySQL Verification Team 
Thank you for the bug report.
[3 Jun 2008 16:17] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/47384
[3 Jun 2008 16:23] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/47385
[9 Jun 2008 14:50] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/47608
[11 Jun 2008 8:42] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/47718

2666 Martin Hansson	2008-06-11
      Bug#36086: SELECT * from views don't check column grants
      This patch also fixes bugs 36963 and 35600.
          
      - In many place a view was confused with an anonymous derived table, 
        i.e. access checking was skipped. Fixed by introducing a predicate 
        to tell the difference between named and anonymous derived tables.
          
      - When inserting fields for "SELECT * ", there was no distinction made
        between base tables and views when it should have. View privileges are 
        checked elsewhere.
          
      - Privileges for TEMPTABLE views should not be checked in check_grant.