Re: bk commit into 5.0 tree (evgen:1.2526) BUG#29908

Hi,

Ok to push.

However, one more request:

Could you please highlight in the CS comment, that the patch introduces backward incompatible changes.

Thank you!

On Thursday 20 September 2007 18:05, eugene@mysql.com wrote:
> Below is the list of changes that have just been committed into a local
> 5.0 repository of evgen. When evgen does a push these changes will
> be propagated to the main repository and, within 24 hours after the
> push, to the public repository.
> For information on how to access the public repository
> see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
>
> ChangeSet@1.2526, 2007-09-20 18:05:09+04:00, evgen@sunlight.local +3 -0
> Bug#29908: A user can gain additional access through the ALTER VIEW.
>
> Non-definer of a view was allowed to alter that view. Due to this the alterer
> can elevate his access rights to access rights of the view definer and thus
> modify data which he wasn't allowed to modify. A view defined with
> SQL SECURITY INVOKER can't be used directly for access rights elevation.
> But a user can first alter the view SQL code and then alter the view to
> SQL SECURITY DEFINER and thus elevate his access rights. Due to this
> altering a view with SQL SECURITY INVOKER is also prohibited.
>
> Now the mysql_create_view function allows ALTER VIEW only to the view
> definer or a super user.

-- 
Alexander Nozdrin, Software Developer
MySQL AB, Moscow, Russia, www.mysql.com

-- 
MySQL Code Commits Mailing List
For list archives: 
http://lists.mysql.com/commits
To unsubscribe:    
http://lists.mysql.com/commits?unsub=lists@pantek.com