New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-privileged user can implicitly count records in a restricted table [CORE4985] #5276
Comments
Commented by: Sean Leyne (seanleyne) Edited Summary for readability |
Modified by: Sean Leyne (seanleyne)summary: Non-privileged user can query constant value (NO any of field(s)) from table for which he has no rights. This mean that he can know number of records in that table. => Non-privileged user can to detect number of records in table for which he has no rights by using SELECT constant value (NO field(s)) from TABLE |
Modified by: @pavel-zotovVersion: 4.0 Initial [ 10621 ] Version: 3.0 RC2 [ 10048 ] Version: 2.5.5 [ 10670 ] Component: Security [ 10071 ] |
Modified by: @dyemanovassignee: Dmitry Yemanov [ dimitr ] summary: Non-privileged user can to detect number of records in table for which he has no rights by using SELECT constant value (NO field(s)) from TABLE => Non-privileged user can implicitly count records in a restricted table |
Modified by: @dyemanovstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 4.0 Alpha 1 [ 10731 ] |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: No test => Done successfully |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Closed [ 6 ] |
Commented by: @dyemanov Re-opened due to regression found, fix is rolled back. |
Modified by: @dyemanovstatus: Closed [ 6 ] => Reopened [ 4 ] resolution: Fixed [ 1 ] => Fix Version: 4.0 Alpha 1 [ 10731 ] => |
Modified by: @pavel-zotovstatus: Reopened [ 4 ] => Reopened [ 4 ] Test Details: 07.06.2020 TODO: check later on ability to include this test again in the common list. |
Modified by: @pavel-zotovstatus: Reopened [ 4 ] => Reopened [ 4 ] QA Status: Done successfully => Deferred |
Modified by: @dyemanovstatus: Reopened [ 4 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 4.0 RC 1 [ 10930 ] |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: Deferred => Done successfully Test Details: 07.06.2020 TODO: check later on ability to include this test again in the common list. => |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Closed [ 6 ] |
Submitted by: @pavel-zotov
SQL> create or alter user john password '123';
SQL> create table test(id int);
SQL> set count on;
SQL> insert into test select row_number()over() from rdb$types rows 7;
Records affected: 7
SQL> commit;
SQL> revoke all on all from john;
Warning: ALL on ALL is not granted to JOHN.
SQL> commit;
SQL> connect '/3333:e30' user john password '123';
Database: '/3333:e30', User: JOHN
SQL> select count(*) from test;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE TEST ----- OK, expected
SQL> set count on;
SQL> select 1 from test;
============
1
1
1
1
1
1
1
Records affected: 7 -------------- ?? Why he can know result of COUNT(*) using this way ?
WI-V3.0.0.32136
PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge about such table, even about number of rows in it.
Commits: 82b2b21 a53c6db 1fef2e6
The text was updated successfully, but these errors were encountered: