Bug #31077699: NORMAL USER CAN CREATE VIEW/PROC/TRIG WITH

DEFINER=USER_WITH_SYSTEM_USER_PRIV RB#24132 The fetch of the ACL map for the current user was done based on the login user and not the authenticated user. This caused artificially created execution contexts that lack the login user being set to find the wrong ACL map. Fixed by using the privileged user instead.
zwang28 · Mar 26, 2020 · 7d10c82 · 7d10c82
1 parent a4b2a21
commit 7d10c82
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/sql/auth/sql_security_ctx.cc b/sql/auth/sql_security_ctx.cc
@@ -389,26 +389,29 @@ void Security_context::checkout_access_maps(void) {
   if (m_acl_map != nullptr) {
     DBUG_PRINT(
         "info",
-        ("(checkout) Security_context for %s@%s returns Acl_map to cache. "
+        ("(checkout) Security_context for %.*s@%.*s returns Acl_map to cache. "
          "Map reference count= %u",
-         m_user.c_ptr(), m_host.c_ptr(), m_acl_map->reference_count()));
+         (int)m_priv_user_length, m_priv_user, (int)m_priv_host_length,
+         m_priv_host, m_acl_map->reference_count()));
     get_global_acl_cache()->return_acl_map(m_acl_map);
     m_acl_map = nullptr;
   }
 
   if (m_active_roles.size() == 0) return;
   ++m_map_checkout_count;
   Auth_id_ref uid;
-  uid.first.str = this->m_user.ptr();
-  uid.first.length = this->m_user.length();
-  uid.second.str = this->m_host_or_ip.ptr();
-  uid.second.length = this->m_host_or_ip.length();
+  uid.first.str = this->m_priv_user;
+  uid.first.length = this->m_priv_user_length;
+  uid.second.str = this->m_priv_host;
+  uid.second.length = this->m_priv_host_length;
   m_acl_map =
       get_global_acl_cache()->checkout_acl_map(this, uid, m_active_roles);
   if (m_acl_map != nullptr) {
-    DBUG_PRINT("info", ("Roles are active and global access for %s@%s is set to"
-                        " %lu",
-                        user().str, host_or_ip().str, m_acl_map->global_acl()));
+    DBUG_PRINT("info",
+               ("Roles are active and global access for %.*s@%.*s is set to"
+                " %lu",
+                (int)m_priv_user_length, m_priv_user, (int)m_priv_host_length,
+                m_priv_host, m_acl_map->global_acl()));
     set_master_access(m_acl_map->global_acl(), m_acl_map->restrictions());
   } else {
     set_master_access(0);