[
http://tracker.firebirdsql.org/browse/CORE-4985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dmitry Yemanov reopened CORE-4985:
----------------------------------
Fix Version/s: (was: 4.0 Alpha 1)
Re-opened due to regression found, fix is rolled back.
> Non-privileged user can implicitly count records in a restricted table
> ----------------------------------------------------------------------
>
> Key: CORE-4985
> URL: http://tracker.firebirdsql.org/browse/CORE-4985
> Project: Firebird Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.5.5, 3.0 RC2, 4.0 Initial
> Reporter: Pavel Zotov
> Assignee: Dmitry Yemanov
>
> SQL> create or alter user john password '123';
> SQL> create table test(id int);
> SQL> set count on;
> SQL> insert into test select row_number()over() from rdb$types rows 7;
> Records affected: 7
> SQL> commit;
> SQL> revoke all on all from john;
> Warning: ALL on ALL is not granted to JOHN.
> SQL> commit;
> SQL> connect '/3333:e30' user john password '123';
> Database: '/3333:e30', User: JOHN
> SQL> select count(*) from test;
> Statement failed, SQLSTATE = 28000
> no permission for SELECT access to TABLE TEST ----- OK, expected
> SQL> set count on;
> SQL> select 1 from test;
> CONSTANT
> ============
> 1
> 1
> 1
> 1
> 1
> 1
> 1
> Records affected: 7 -------------- ?? Why he can know result of COUNT(*)
> using this way ?
> WI-V3.0.0.32136
> PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge
> about such table, even about number of rows in it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
