Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-privileged user can implicitly count records in a restricted table [CORE4985] #5276

Closed
firebird-issue-importer opened this issue Oct 30, 2015 · 14 comments

Comments

@firebird-issue-importer

Submitted by: @pavel-zotov

SQL> create or alter user john password '123';
SQL> create table test(id int);
SQL> set count on;
SQL> insert into test select row_number()over() from rdb$types rows 7;
Records affected: 7
SQL> commit;
SQL> revoke all on all from john;
Warning: ALL on ALL is not granted to JOHN.
SQL> commit;
SQL> connect '/3333:e30' user john password '123';
Database: '/3333:e30', User: JOHN

SQL> select count(*) from test;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE TEST ----- OK, expected

SQL> set count on;
SQL> select 1 from test;

CONSTANT

============
1
1
1
1
1
1
1

Records affected: 7 -------------- ?? Why he can know result of COUNT(*) using this way ?

WI-V3.0.0.32136

PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge about such table, even about number of rows in it.

Commits: 82b2b21 a53c6db 1fef2e6

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Oct 30, 2015

Commented by: Sean Leyne (seanleyne)

Edited Summary for readability

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Oct 30, 2015

Modified by: Sean Leyne (seanleyne)

summary: Non-privileged user can query constant value (NO any of field(s)) from table for which he has no rights. This mean that he can know number of records in that table. => Non-privileged user can to detect number of records in table for which he has no rights by using SELECT constant value (NO field(s)) from TABLE

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 23, 2016

Modified by: @pavel-zotov

Version: 4.0 Initial [ 10621 ]

Version: 3.0 RC2 [ 10048 ]

Version: 2.5.5 [ 10670 ]

Component: Security [ 10071 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 23, 2016

Modified by: @dyemanov

assignee: Dmitry Yemanov [ dimitr ]

summary: Non-privileged user can to detect number of records in table for which he has no rights by using SELECT constant value (NO field(s)) from TABLE => Non-privileged user can implicitly count records in a restricted table

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 23, 2016

Modified by: @dyemanov

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Alpha 1 [ 10731 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 24, 2016

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Mar 24, 2016

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jun 6, 2020

Commented by: @dyemanov

Re-opened due to regression found, fix is rolled back.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jun 6, 2020

Modified by: @dyemanov

status: Closed [ 6 ] => Reopened [ 4 ]

resolution: Fixed [ 1 ] =>

Fix Version: 4.0 Alpha 1 [ 10731 ] =>

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jun 7, 2020

Modified by: @pavel-zotov

status: Reopened [ 4 ] => Reopened [ 4 ]

Test Details: 07.06.2020
bugs.core_4985 was temp-ly added to the file "...fbt-repo\tests\qa4x-exclude-list.txt" in order to skip this test from running on FB 4.x.

TODO: check later on ability to include this test again in the common list.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jun 7, 2020

Modified by: @pavel-zotov

status: Reopened [ 4 ] => Reopened [ 4 ]

QA Status: Done successfully => Deferred

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Jun 17, 2020

Modified by: @dyemanov

status: Reopened [ 4 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 RC 1 [ 10930 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 31, 2020

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Deferred => Done successfully

Test Details: 07.06.2020
bugs.core_4985 was temp-ly added to the file "...fbt-repo\tests\qa4x-exclude-list.txt" in order to skip this test from running on FB 4.x.

TODO: check later on ability to include this test again in the common list.

=>

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Dec 31, 2020

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants