Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-6411

Minimal select privilege should be checked in subqueries

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10.1.1
    • Fix Version/s: 10.10.2.0, 10.11.1.1
    • Component/s: SQL
    • Labels:
      None

      Description

      DERBY-4191 added checks for minimal select privilege in cases where a SELECT query didn't access any actual column in the base table, such as SELECT COUNT FROM USER1.T and SELECT 1 FROM USER1.T. That privilege checking is only done for top-level SELECT statements. It should also be done for subqueries.

      Examples of queries where Derby does not currently check for minimal select privileges on the accessed tables (performed as USER2, which has no privileges on any of USER1's tables):

      SELECT * FROM (SELECT COUNT FROM USER1.T) S

      SELECT 1 FROM USER1.T UNION SELECT 2 FROM USER1.T

      INSERT INTO USER2.T SELECT 1 FROM USER1.T

      I believe that the above statements should have failed, but currently they succeed.

        Attachments

        1. d6411-1a.diff
          17 kB
          Knut Anders Hatlen

          Issue Links

            Activity

              People

              • Assignee:
                knutanders Knut Anders Hatlen
                Reporter:
                knutanders Knut Anders Hatlen
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: