MDEV-32501 KEY_PERIOD_USAGE reveals information to unprivileged user

Restrict access to KEY_PERIOD_USAGE: show the constraint record iff any non-select privilege on any table column is granted. Also drop the unprivileged user in the end of test and add merge anchor.
2025-01-16 03:52:35 +01:00 · 2024-01-04 23:46:52 +01:00 · 2024-01-04 23:46:52 +01:00 · 22e41dae88
commit 22e41dae88
parent 5c2f8c017c
3 changed files with 90 additions and 2 deletions
--- a/mysql-test/suite/period/r/i_s_notembedded.result
+++ b/mysql-test/suite/period/r/i_s_notembedded.result
@ -30,6 +30,12 @@ TABLE_CATALOG	TABLE_SCHEMA	TABLE_NAME	PERIOD	START_COLUMN_NAME	END_COLUMN_NAME
 connection default;
 grant select(id) on test.t1 to periods_hidden@localhost;
 connection chopped;
+connection default;
+revoke select(id) on test.t1 from periods_hidden@localhost;
+connection chopped;
+connection default;
+grant update(id) on test.t1 to periods_hidden@localhost;
+connection chopped;
 select * from information_schema.periods where table_schema = 'test';
 TABLE_CATALOG	TABLE_SCHEMA	TABLE_NAME	PERIOD	START_COLUMN_NAME	END_COLUMN_NAME
 def	test	t1	mytime	NULL	NULL
@ -56,7 +62,6 @@ def	test	t1	mytime	s	NULL
 def	test	t2	SYSTEM_TIME	vs	ve
 def	test	t2	mytime	s	e
 connection default;
-drop user periods_hidden@localhost;
 drop tables t1, t2;
 # MDEV-32503 Queries from KEY_PERIOD_USAGE don't obey case-sensitivity
 create table t (a int, b date, c date, period for app(b,c),
@ -80,3 +85,34 @@ select constraint_name from information_schema.key_period_usage where constraint
 constraint_name
 idx
 drop table t;
+# MDEV-32501 KEY_PERIOD_USAGE reveals information to unprivileged user
+create table t (a int, b date, c date, f int, period for app(b, c),
+primary key(a, app without overlaps));
+grant select (f) on t to periods_hidden@localhost;
+connection chopped;
+select period_name from information_schema.key_period_usage where table_name = 't';
+period_name
+connection default;
+grant update (f) on t to periods_hidden@localhost;
+connection chopped;
+select 'can be seen', constraint_name, period_name from information_schema.key_period_usage where table_name = 't';
+can be seen	constraint_name	period_name
+can be seen	PRIMARY	app
+connection default;
+revoke update (f) on t from periods_hidden@localhost;
+connection chopped;
+update t set f = 1;
+ERROR 42000: UPDATE command denied to user 'periods_hidden'@'localhost' for table `test`.`t`
+select period_name from information_schema.key_period_usage where table_name = 't';
+period_name
+connection default;
+grant alter on t to periods_hidden@localhost;
+connection chopped;
+select 'can be seen', constraint_name, period_name from information_schema.key_period_usage where table_name = 't';
+can be seen	constraint_name	period_name
+can be seen	PRIMARY	app
+connection default;
+drop table t;
+disconnect chopped;
+connection default;
+drop user periods_hidden@localhost;
--- a/mysql-test/suite/period/t/i_s_notembedded.test
+++ b/mysql-test/suite/period/t/i_s_notembedded.test
@ -29,6 +29,14 @@ select * from information_schema.periods where table_schema = 'test';
 grant select(id) on test.t1 to periods_hidden@localhost;
 --connection chopped
 --sorted_result
+--connection default
+revoke select(id) on test.t1 from periods_hidden@localhost;
+--connection chopped
+--sorted_result
+--connection default
+grant update(id) on test.t1 to periods_hidden@localhost;
+--connection chopped
+--sorted_result
 select * from information_schema.periods where table_schema = 'test';
 --connection default
 grant select(s) on test.t1 to periods_hidden@localhost;
@ -46,7 +54,6 @@ grant update on test.t2 to periods_hidden@localhost;
 --sorted_result
 select * from information_schema.periods where table_schema = 'test';
 --connection default
-drop user periods_hidden@localhost;
 drop tables t1, t2;

 --echo # MDEV-32503 Queries from KEY_PERIOD_USAGE don't obey case-sensitivity
@ -72,3 +79,41 @@ select constraint_name from information_schema.key_period_usage where constraint
 enable_warnings;

 drop table t;
+
+--echo # MDEV-32501 KEY_PERIOD_USAGE reveals information to unprivileged user
+create table t (a int, b date, c date, f int, period for app(b, c),
+                primary key(a, app without overlaps));
+
+grant select (f) on t to periods_hidden@localhost;
+
+--connection chopped
+select period_name from information_schema.key_period_usage where table_name = 't';
+
+--connection default
+grant update (f) on t to periods_hidden@localhost;
+--connection chopped
+select 'can be seen', constraint_name, period_name from information_schema.key_period_usage where table_name = 't';
+
+--connection default
+revoke update (f) on t from periods_hidden@localhost;
+--connection chopped
+--error ER_TABLEACCESS_DENIED_ERROR
+update t set f = 1;
+select period_name from information_schema.key_period_usage where table_name = 't';
+
+--connection default
+grant alter on t to periods_hidden@localhost;
+--connection chopped
+select 'can be seen', constraint_name, period_name from information_schema.key_period_usage where table_name = 't';
+
+--connection default
+drop table t;
+
+#
+# End of 11.4 tests
+#
+
+# Global cleanup
+--disconnect chopped
+--connection default
+drop user periods_hidden@localhost;
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@ -7789,6 +7789,13 @@ int get_schema_key_period_usage_record(THD *thd, TABLE_LIST *tables,
  if (!period_name)
    return 0;

+#ifndef NO_EMBEDDED_ACCESS_CHECKS
+  /* Need any non-SELECT privilege on the table or any of its columns */
+  if (!get_schema_privileges_for_show(thd, tables, TABLE_ACLS & ~SELECT_ACL,
+                                      true))
+    return 0;
+#endif
+
  bool err= false;
  for (uint k= 0; !err && k < keys_total; k++)
  {