Bug #77309 Definer substitution in routines and views
Submitted: 11 Jun 2015 8:48 Modified: 17 Jan 2019 22:17
Reporter: Pavel Katiushyn Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S2 (Serious)
Version:5.6.16 OS:Linux (CentOS6.5)
Assigned to: CPU Architecture:Any

[11 Jun 2015 8:48] Pavel Katiushyn
Description:
When you (as super user) create procedure with wrong user name in definer, you may get different definer, than you specified. 
In the example below instead of definer pavel.katiushyn@192.168.120.256 I've got pavel.katiushyn@%.
Same was noticed for view. I did not check for triggers and events.
This may lead to security problems.

How to repeat:
mysql> select user,host from mysql.user where user='pavel.katiushyn';
+-----------------+------+
| user            | host |
+-----------------+------+
| pavel.katiushyn | %    |
+-----------------+------+
1 row in set (0.00 sec)

mysql> drop procedure if exists ttt;
Query OK, 0 rows affected (0.00 sec)

mysql> delimiter $$
mysql> CREATE DEFINER=`pavel.katiushyn`@`192.168.120.256` PROCEDURE `ttt`()
    -> select user(),session_user(), current_user();
    -> $$
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> show warnings $$
+-------+------+--------------------------------------------------------------------------------------+
| Level | Code | Message                                                                              |
+-------+------+--------------------------------------------------------------------------------------+
| Note  | 1449 | The user specified as a definer ('pavel.katiushyn'@'192.168.120.256') does not exist |
+-------+------+--------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> delimiter ;
mysql> call ttt();
+---------------------------+---------------------------+-------------------+
| user()                    | session_user()            | current_user()    |
+---------------------------+---------------------------+-------------------+
| pavel.katiushyn@localhost | pavel.katiushyn@localhost | pavel.katiushyn@% |
+---------------------------+---------------------------+-------------------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)
[17 Dec 2018 22:17] MySQL Verification Team
Please check with latest version. Thanks.
[18 Jan 2019 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".