Issue Details (XML | Word | Printable)

Key: CORE-4985
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Dmitry Yemanov
Reporter: Pavel Zotov
Votes: 0
Watchers: 3

If you were logged in you would be able to see more operations.
Firebird Core

Non-privileged user can implicitly count records in a restricted table

Created: 30/Oct/15 11:43 AM   Updated: 17/Jun/20 12:27 PM
Component/s: Security
Affects Version/s: 2.5.5, 3.0 RC2, 4.0 Initial
Fix Version/s: 4.0 RC 1

QA Status: Deferred
Test Details:
bugs.core_4985 was temp-ly added to the file "...fbt-repo\tests\qa4x-exclude-list.txt" in order to skip this test from running on FB 4.x.

TODO: check later on ability to include this test again in the common list.

 Description  « Hide
SQL> create or alter user john password '123';
SQL> create table test(id int);
SQL> set count on;
SQL> insert into test select row_number()over() from rdb$types rows 7;
Records affected: 7
SQL> commit;
SQL> revoke all on all from john;
Warning: ALL on ALL is not granted to JOHN.
SQL> commit;
SQL> connect '/3333:e30' user john password '123';
Database: '/3333:e30', User: JOHN

SQL> select count(*) from test;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE TEST ----- OK, expected

SQL> set count on;
SQL> select 1 from test;


Records affected: 7 -------------- ?? Why he can know result of COUNT(*) using this way ?


PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge about such table, even about number of rows in it.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Sean Leyne added a comment - 30/Oct/15 03:46 PM
Edited Summary for readability

Dmitry Yemanov added a comment - 06/Jun/20 07:22 AM
Re-opened due to regression found, fix is rolled back.