MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check.

Alexey Botchkov · Alexey Botchkov · commit 047eb2258dfc · 2021-04-21T10:21:44.000+04:00
access rights checking fixed.
diff --git a/mysql-test/suite/json/r/json_table.result b/mysql-test/suite/json/r/json_table.result
@@ -111,6 +111,8 @@ a
 select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt;
 a	f
 {"foo":"bar"}	bar
+select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: NO)
 connection default;
 disconnect con1;
 drop user u@localhost;
diff --git a/mysql-test/suite/json/t/json_table.test b/mysql-test/suite/json/t/json_table.test
@@ -74,6 +74,12 @@ grant select (a) on db.t to u@localhost;
 select a from t;
 select * from t, json_table(t.a, '$' columns(f varchar(20) path '$.foo')) as jt;
 
+#
+# MDEV-25141 JSON_TABLE: SELECT into outfile bypasses file privilege check
+#
+--error ER_ACCESS_DENIED_ERROR
+select * into outfile 'f' from json_table('[]', '$' columns(x for ordinality)) q;
+
 connection default;
 disconnect con1;
 
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -8150,16 +8150,9 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
     if (!want_access)
       continue;                                 // ok
 
-    if (t_ref->table_function)
-    {
-      /* Table function doesn't need any privileges to be checked.  */
-      t_ref->grant.privilege|= TMP_TABLE_ACLS;
-      t_ref->grant.want_privilege= NO_ACL;
-      continue;
-    }
-
     if (!(~t_ref->grant.privilege & want_access) ||
-        t_ref->is_anonymous_derived_table() || t_ref->schema_table)
+        t_ref->is_anonymous_derived_table() || t_ref->schema_table ||
+        t_ref->table_function)
     {
       /*
         It is subquery in the FROM clause. VIEW set t_ref->derived after
@@ -8168,7 +8161,8 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
         NOTE: is_derived() can't be used here because subquery in this case
         the FROM clase (derived tables) can be not be marked yet.
       */
-      if (t_ref->is_anonymous_derived_table() || t_ref->schema_table)
+      if (t_ref->is_anonymous_derived_table() || t_ref->schema_table ||
+          t_ref->table_function)
       {
         /*
           If it's a temporary table created for a subquery in the FROM
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
@@ -7104,9 +7104,6 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables,
     if (table_ref->is_anonymous_derived_table())
       continue;
 
-    if (table_ref->table_function)
-      continue;
-
     if (table_ref->sequence)
     {
       /* We want to have either SELECT or INSERT rights to sequences depending
@@ -7116,7 +7113,9 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables,
                     INSERT_ACL : SELECT_ACL);
     }
 
-    if (check_access(thd, want_access, table_ref->get_db_name(),
+    if (check_access(thd, want_access,
+                     table_ref->table_function ? any_db :
+                                                 table_ref->get_db_name(),
                      &table_ref->grant.privilege,
                      &table_ref->grant.m_internal,
                      0, no_errors))
