MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check.

access rights checking fixed.
2025-01-16 12:02:42 +01:00 · 2021-03-17 18:28:31 +04:00 · 2021-03-17 18:28:31 +04:00 · 047eb2258d
commit 047eb2258d
parent abdc39b0a7
4 changed files with 15 additions and 14 deletions
--- a/mysql-test/suite/json/r/json_table.result
+++ b/mysql-test/suite/json/r/json_table.result
@ -111,6 +111,8 @@ a
 select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt;
 a	f
 {"foo":"bar"}	bar
+select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: NO)
 connection default;
 disconnect con1;
 drop user u@localhost;
--- a/mysql-test/suite/json/t/json_table.test
+++ b/mysql-test/suite/json/t/json_table.test
@ -74,6 +74,12 @@ grant select (a) on db.t to u@localhost;
 select a from t;
 select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt;

+#
+# MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check
+#
+--error ER_ACCESS_DENIED_ERROR
+select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q;
+
 connection default;
 disconnect con1;

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -8150,16 +8150,9 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
    if (!want_access)
      continue;                                 // ok

-    if (t_ref->table_function)
-    {
-      /* Table function doesn't need any privileges to be checked.  */
-      t_ref->grant.privilege|= TMP_TABLE_ACLS;
-      t_ref->grant.want_privilege= NO_ACL;
-      continue;
-    }
-
    if (!(~t_ref->grant.privilege & want_access) ||
-        t_ref->is_anonymous_derived_table() || t_ref->schema_table)
+        t_ref->is_anonymous_derived_table() || t_ref->schema_table ||
+        t_ref->table_function)
    {
      /*
        It is subquery in the FROM clause. VIEW set t_ref->derived after
@ -8168,7 +8161,8 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
        NOTE: is_derived() can't be used here because subquery in this case
        the FROM clase (derived tables) can be not be marked yet.
      */
-      if (t_ref->is_anonymous_derived_table() || t_ref->schema_table)
+      if (t_ref->is_anonymous_derived_table() || t_ref->schema_table ||
+          t_ref->table_function)
      {
        /*
          If it's a temporary table created for a subquery in the FROM
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -7104,9 +7104,6 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables,
    if (table_ref->is_anonymous_derived_table())
      continue;

-    if (table_ref->table_function)
-      continue;
-
    if (table_ref->sequence)
    {
      /* We want to have either SELECT or INSERT rights to sequences depending
@ -7116,7 +7113,9 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables,
                    INSERT_ACL : SELECT_ACL);
    }

-    if (check_access(thd, want_access, table_ref->get_db_name(),
+    if (check_access(thd, want_access,
+                     table_ref->table_function ? any_db :
+                                                 table_ref->get_db_name(),
                     &table_ref->grant.privilege,
                     &table_ref->grant.m_internal,
                     0, no_errors))