Skip to content

Commit

Permalink
planner: privilege check for SELECT INTO OUTFILE (#19553) (#19577)
Browse files Browse the repository at this point in the history
Signed-off-by: ti-srebot <[email protected]>
  • Loading branch information
ti-srebot authored Sep 1, 2020
1 parent 8b3ff32 commit 502cd8d
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
2 changes: 1 addition & 1 deletion planner/core/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,6 @@ var (
ErrCartesianProductUnsupported = terror.ClassOptimizer.New(mysql.ErrCartesianProductUnsupported, mysql.MySQLErrName[mysql.ErrCartesianProductUnsupported])
ErrStmtNotFound = terror.ClassOptimizer.New(mysql.ErrPreparedStmtNotFound, mysql.MySQLErrName[mysql.ErrPreparedStmtNotFound])
ErrAmbiguous = terror.ClassOptimizer.New(mysql.ErrNonUniq, mysql.MySQLErrName[mysql.ErrNonUniq])
// Since we cannot know if user loggined with a password, use message of ErrAccessDeniedNoPassword instead
// Since we cannot know if user logged in with a password, use message of ErrAccessDeniedNoPassword instead
ErrAccessDenied = terror.ClassOptimizer.New(mysql.ErrAccessDenied, mysql.MySQLErrName[mysql.ErrAccessDeniedNoPassword])
)
1 change: 1 addition & 0 deletions planner/core/planbuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -2923,6 +2923,7 @@ func (b *PlanBuilder) buildSelectInto(ctx context.Context, sel *ast.SelectStmt)
if err != nil {
return nil, err
}
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.FilePriv, "", "", "", ErrSpecificAccessDenied.GenWithStackByArgs("FILE"))
return &SelectInto{
TargetPlan: targetPlan,
IntoOpt: selectIntoInfo,
Expand Down
9 changes: 9 additions & 0 deletions privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -994,6 +994,15 @@ func (s *testPrivilegeSuite) TestLoadDataPrivilege(c *C) {
c.Assert(err, IsNil)
}

func (s *testPrivilegeSuite) TestSelectIntoNoPremissions(c *C) {
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'nofile'@'localhost';`)
c.Assert(se.Auth(&auth.UserIdentity{Username: "nofile", Hostname: "localhost"}, nil, nil), IsTrue)
_, err := se.Execute(context.Background(), `select 1 into outfile '/tmp/doesntmatter-no-permissions'`)
message := "Access denied; you need (at least one of) the FILE privilege(s) for this operation"
c.Assert(strings.Contains(err.Error(), message), IsTrue)
}

func (s *testPrivilegeSuite) TestGetEncodedPassword(c *C) {
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'test_encode_u'@'localhost' identified by 'root';`)
Expand Down

0 comments on commit 502cd8d

Please sign in to comment.