-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Fixing all the issues related to assigning privileges to databases with '_' #17015
Conversation
Hi @iifawzi Currently you removed all escaping, this is not right because as you can see on my example So you need to add back escaping on DB list, edit page. That said the queries look good ! I have a theory about why there is two mysql.dbShow dbs beforeShow dbs after |
I can see that in your
How can I encounter such an issue? what do you mean by This PR implementation is suppose to have this:
are we ok with this? can you give me a case that might prevent this from happening or make a conflict with it in the GUI? I'm asking because, if the queries look good, so it means the GUI looks good I think, because i'm just unescaping the name used in the query, and used it in the GUI, if the. GUI can be misleading in any case, so it means there will be something wrong in the queries I think. how can the query looks good, and the GUI have bugs? It took too long I know, thank your for your patience, I just wanna be sure that I understood your points before adding back the escaping on DB list, edit page GUIs. Thank you again. |
No, it's indended and is a wildcard example
You can grant a user the use of I am not sure if this is more clear, but there is a case where |
So you only need to escape on database lists add to make |
Ohhh... I got it. Nice! I never thought that this's possible. |
Signed-off-by: Fawzi E. Abdulfattah <iifawzie@gmail.com>
abb6e03
to
68981b7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tested the mentioned cases in the PR's description and it worked, and the GUI now is working as expected, Hopefully :d.
@@ -514,8 +514,7 @@ public function getSqlQueryForDisplayPrivTable($db, $table, $username, $hostname | |||
return 'SELECT * FROM `mysql`.`db`' | |||
. " WHERE `User` = '" . $this->dbi->escapeString($username) . "'" | |||
. " AND `Host` = '" . $this->dbi->escapeString($hostname) . "'" | |||
. " AND '" . $this->dbi->escapeString(Util::unescapeMysqlWildcards($db)) . "'" | |||
. ' LIKE `Db`;'; | |||
. " AND `Db` = '" . $this->dbi->escapeString($db) . "'"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've encountered another issue regarding the privileges table, if we have a privileges on a_%
and a_hidden
.
before, if we tried to edit the privileges on a_hidden
, the privileges of a_%
will be shown instead. (can be tested on https://demo.phpmyadmin.net/master/ ), I've fixed it by looking for an exact match instead of using LIKE
, and removed the unescaping function, I've tested all the cases that crossed my mind they worked as expected, I hope that I'm not missing anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This all looks very nice, I will test it !
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome !
It fixes all bugs
Just found something ( #16477 is back) |
Hmm, I think based on #16477 (comment), the issue was due to considering the The issue you've mentioned is regarding granting a permissions on a wildcard example like the mess comes from that when #16481 is introduced, this bug #17010 (comment) wasn't fixed. which leaded to allowing the |
@sudo-robot deploy |
Hmm, you are right. This was probably a bug, I could not replicate it on the deployed server. |
let me know if you've found anything that could be fixed, and thank you for following up with this, your guidance, and your fast replies @williamdes, You're encouraging me to keep contributing |
I am so happy to have so great and involved contributions ! ❤️ Conclusion: it works better when I use an escaped version 🤦🏻 |
Signed-off-by: William Desportes <williamdes@wdes.fr>
Signed-off-by: William Desportes <williamdes@wdes.fr>
Signed-off-by: Fawzi E. Abdulfattah iifawzie@gmail.com
Description
This PR fixes all the bugs discussed at #17010 and the bug mentioned in #16994.
Fixes: