From 7a8fd4107d6b4f41658152319a60b0cd0425ca48 Mon Sep 17 00:00:00 2001
From: "gluh@mysql.com/eagle.(none)" <>
Date: Mon, 20 Aug 2007 11:23:08 +0500
Subject: [PATCH] Bug#27629 Possible security flaw in INFORMATION_SCHEMA and
 SHOW statements added SUPER_ACL check for I_S.TRIGGERS

---
 mysql-test/r/information_schema.result    | 26 ++++++++++++++++++++++-
 mysql-test/r/information_schema_db.result |  2 --
 mysql-test/t/information_schema.test      | 26 +++++++++++++++++++++++
 sql/sql_show.cc                           | 10 +++++++--
 4 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/mysql-test/r/information_schema.result b/mysql-test/r/information_schema.result
index 9d0e41b341a..612e744a0f4 100644
--- a/mysql-test/r/information_schema.result
+++ b/mysql-test/r/information_schema.result
@@ -180,7 +180,6 @@ t1	a	select
 show columns from mysqltest.t1;
 Field	Type	Null	Key	Default	Extra
 a	int(11)	YES		NULL	
-b	varchar(30)	YES	MUL	NULL	
 select table_name, column_name, privileges from information_schema.columns
 where table_schema = 'mysqltest' and table_name = 'v1';
 table_name	column_name	privileges
@@ -1330,4 +1329,29 @@ alter database;
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
 alter database test;
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
+create database mysqltest;
+create table mysqltest.t1(a int, b int, c int);
+create trigger mysqltest.t1_ai after insert on mysqltest.t1
+for each row set @a = new.a + new.b + new.c;
+grant select(b) on mysqltest.t1 to mysqltest_1@localhost;
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+trigger_name
+t1_ai
+show triggers from mysqltest;
+Trigger	Event	Table	Statement	Timing	Created	sql_mode	Definer
+t1_ai	INSERT	t1	set @a = new.a + new.b + new.c	AFTER	NULL		root@localhost
+show columns from t1;
+Field	Type	Null	Key	Default	Extra
+b	int(11)	YES		NULL	
+select column_name from information_schema.columns where table_name='t1';
+column_name
+b
+show triggers;
+Trigger	Event	Table	Statement	Timing	Created	sql_mode	Definer
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+trigger_name
+drop user mysqltest_1@localhost;
+drop database mysqltest;
 End of 5.0 tests.
diff --git a/mysql-test/r/information_schema_db.result b/mysql-test/r/information_schema_db.result
index 2d330dda333..dd1f0295277 100644
--- a/mysql-test/r/information_schema_db.result
+++ b/mysql-test/r/information_schema_db.result
@@ -140,13 +140,11 @@ create view v2 as select f1 from testdb_1.v1;
 create view v4 as select f1,f2 from testdb_1.v3;
 show fields from testdb_1.v5;
 Field	Type	Null	Key	Default	Extra
-f1	char(4)	YES		NULL	
 show create view testdb_1.v5;
 View	Create View
 v5	CREATE ALGORITHM=UNDEFINED DEFINER=`testdb_1`@`localhost` SQL SECURITY DEFINER VIEW `testdb_1`.`v5` AS select `testdb_1`.`t1`.`f1` AS `f1` from `testdb_1`.`t1`
 show fields from testdb_1.v6;
 Field	Type	Null	Key	Default	Extra
-f1	char(4)	YES		NULL	
 show create view testdb_1.v6;
 View	Create View
 v6	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `testdb_1`.`v6` AS select `testdb_1`.`t1`.`f1` AS `f1` from `testdb_1`.`t1`
diff --git a/mysql-test/t/information_schema.test b/mysql-test/t/information_schema.test
index 6cf4ad8f576..7637a027e8f 100644
--- a/mysql-test/t/information_schema.test
+++ b/mysql-test/t/information_schema.test
@@ -1045,4 +1045,30 @@ drop table t1,t2;
 alter database;
 --error ER_PARSE_ERROR
 alter database test;
+
+#
+# Bug#27629 Possible security flaw in INFORMATION_SCHEMA and SHOW statements
+#
+
+create database mysqltest;
+create table mysqltest.t1(a int, b int, c int);
+create trigger mysqltest.t1_ai after insert on mysqltest.t1
+  for each row set @a = new.a + new.b + new.c;
+grant select(b) on mysqltest.t1 to mysqltest_1@localhost;
+
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+show triggers from mysqltest;
+
+connect (con27629,localhost,mysqltest_1,,mysqltest);
+show columns from t1;
+select column_name from information_schema.columns where table_name='t1';
+
+show triggers;
+select trigger_name from information_schema.triggers
+where event_object_table='t1';
+connection default;
+drop user mysqltest_1@localhost;
+drop database mysqltest;
+
 --echo End of 5.0 tests.
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index 05a847b3830..e21de81fbdb 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -2684,8 +2684,7 @@ static int get_schema_column_record(THD *thd, TABLE_LIST *tables,
     col_access= get_column_grant(thd, &tables->grant, 
                                  base_name, file_name,
                                  field->field_name) & COL_ACLS;
-    if (lex->orig_sql_command != SQLCOM_SHOW_FIELDS  && 
-        !tables->schema_table && !col_access)
+    if (!tables->schema_table && !col_access)
       continue;
     end= tmp;
     for (uint bitnr=0; col_access ; col_access>>=1,bitnr++)
@@ -3381,6 +3380,12 @@ static int get_schema_triggers_record(THD *thd, TABLE_LIST *tables,
   {
     Table_triggers_list *triggers= tables->table->triggers;
     int event, timing;
+
+#ifndef NO_EMBEDDED_ACCESS_CHECKS
+    if (!(thd->security_ctx->master_access & SUPER_ACL))
+      goto ret;
+#endif
+
     for (event= 0; event < (int)TRG_EVENT_MAX; event++)
     {
       for (timing= 0; timing < (int)TRG_ACTION_MAX; timing++)
@@ -3407,6 +3412,7 @@ static int get_schema_triggers_record(THD *thd, TABLE_LIST *tables,
       }
     }
   }
+ret:
   DBUG_RETURN(0);
 }