| Bug #39015 | SHOW ... STATUS commands shows too much info | ||
|---|---|---|---|
| Submitted: | 25 Aug 2008 16:43 | Modified: | 25 Sep 2008 17:14 |
| Reporter: | Evgeny Potemkin | Email Updates: | |
| Status: | No Feedback | Impact on me: | |
| Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
| Version: | 5.1+ | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[25 Sep 2008 23:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".
Description: According to standard I_S.ROUTINES view should show only routines accessible to a given user. The same rule is applicable to the SHOW PROCEDURE STATUS command. Now it shows info on procedures even if the user has only USAGE right on a given database. How to repeat: mysql> select user(); +----------------+ | user() | +----------------+ | root@localhost | +----------------+ 1 row in set (0.00 sec) mysql> delimiter | mysql> create procedure proc37908() begin select 1; end | Query OK, 0 rows affected (0.00 sec) mysql> delimiter ; mysql> grant usage on test.* to mysqltest_1@localhost; Query OK, 0 rows affected (0.00 sec) ------ mysql> select user(); +-----------------------+ | user() | +-----------------------+ | mysqltest_1@localhost | +-----------------------+ 1 row in set (0.00 sec) mysql> show procedure status\G *************************** 1. row *************************** Db: test Name: proc37908 Type: PROCEDURE Definer: root@localhost Modified: 2008-08-25 20:24:56 Created: 2008-08-25 20:24:56 Security_type: DEFINER Comment: character_set_client: latin1 collation_connection: latin1_swedish_ci Database Collation: latin1_swedish_ci 1 row in set (0.00 sec)