Bug #83189 Native methods introduced for I_S should not be used by a user directly.
Submitted: 28 Sep 2016 13:13 Modified: 11 Nov 2016 16:22
Reporter: Praveenkumar Hulakund Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Information schema Severity:S3 (Non-critical)
Version:8.0.1 OS:Any
Assigned to: CPU Architecture:Any

[28 Sep 2016 13:13] Praveenkumar Hulakund
Description:
As part of new INFORMATION_SCHEMA worklogs 6599 and 7167, few native methods
are introduced for various purposes.

Now these native methods can be invoked directly as below from a user,

mysql> select INTERNAL_GET_VIEW_WARNING_OR_ERROR("test", "v1", 1, 0)

Native methods are introduced for internal use only these should not
be used by a user.

Some of the native methods are as below, 

    can_access_table(),

    can_access_database(),

    can_access_column(),

    can_access_view()

Invoking these directly from the user might result in the
security related issues.

How to repeat:

mysql> SELECT CAN_ACCESS_TABLE("test", "t1");
+--------------------------------+
| CAN_ACCESS_TABLE("test", "t1") |
+--------------------------------+
|                              1 |
+--------------------------------+
1 row in set (0.00 sec)

mysql> select INTERNAL_GET_VIEW_WARNING_OR_ERROR("test", "v1", 1, 0)
    -> ;
+--------------------------------------------------------+
| INTERNAL_GET_VIEW_WARNING_OR_ERROR("test", "v1", 1, 0) |
+--------------------------------------------------------+
|                                                      1 |
+--------------------------------------------------------+
1 row in set (0.00 sec) 

Suggested fix:
Native methods should be called from the INFORMATION_SCHEMA queries only.
User should not be allowed to invoke them directly.

At least native methods which might result security related issues should
not be allowed to used by a user directly.
[11 Nov 2016 16:22] Paul DuBois
Posted by developer:
 
Noted in 8.0.1 changelog.

The implementation of several INFORMATION_SCHEMA tables as views on
data dictionary tables introduced a number of native SQL functions
intended only for internal use by the server, but they could be
invoked by users. Those functions now produce an error if invoked by
users.