Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-privileged user can implicitly count records in a restricted table [CORE4985] #5276

Closed
firebird-automations opened this issue Oct 30, 2015 · 14 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @pavel-zotov

SQL> create or alter user john password '123';
SQL> create table test(id int);
SQL> set count on;
SQL> insert into test select row_number()over() from rdb$types rows 7;
Records affected: 7
SQL> commit;
SQL> revoke all on all from john;
Warning: ALL on ALL is not granted to JOHN.
SQL> commit;
SQL> connect '/3333:e30' user john password '123';
Database: '/3333:e30', User: JOHN

SQL> select count(*) from test;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE TEST ----- OK, expected

SQL> set count on;
SQL> select 1 from test;

CONSTANT

============
1
1
1
1
1
1
1

Records affected: 7 -------------- ?? Why he can know result of COUNT(*) using this way ?

WI-V3.0.0.32136

PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge about such table, even about number of rows in it.

Commits: 82b2b21 a53c6db 1fef2e6

@firebird-automations
Copy link
Collaborator Author

Commented by: Sean Leyne (seanleyne)

Edited Summary for readability

@firebird-automations
Copy link
Collaborator Author

Modified by: Sean Leyne (seanleyne)

summary: Non-privileged user can query constant value (NO any of field(s)) from table for which he has no rights. This mean that he can know number of records in that table. => Non-privileged user can to detect number of records in table for which he has no rights by using SELECT constant value (NO field(s)) from TABLE

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

Version: 4.0 Initial [ 10621 ]

Version: 3.0 RC2 [ 10048 ]

Version: 2.5.5 [ 10670 ]

Component: Security [ 10071 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

assignee: Dmitry Yemanov [ dimitr ]

summary: Non-privileged user can to detect number of records in table for which he has no rights by using SELECT constant value (NO field(s)) from TABLE => Non-privileged user can implicitly count records in a restricted table

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Alpha 1 [ 10731 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @dyemanov

Re-opened due to regression found, fix is rolled back.

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Closed [ 6 ] => Reopened [ 4 ]

resolution: Fixed [ 1 ] =>

Fix Version: 4.0 Alpha 1 [ 10731 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Reopened [ 4 ] => Reopened [ 4 ]

Test Details: 07.06.2020
bugs.core_4985 was temp-ly added to the file "...fbt-repo\tests\qa4x-exclude-list.txt" in order to skip this test from running on FB 4.x.

TODO: check later on ability to include this test again in the common list.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Reopened [ 4 ] => Reopened [ 4 ]

QA Status: Done successfully => Deferred

@firebird-automations
Copy link
Collaborator Author

Modified by: @dyemanov

status: Reopened [ 4 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 RC 1 [ 10930 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Deferred => Done successfully

Test Details: 07.06.2020
bugs.core_4985 was temp-ly added to the file "...fbt-repo\tests\qa4x-exclude-list.txt" in order to skip this test from running on FB 4.x.

TODO: check later on ability to include this test again in the common list.

=>

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment