[Phpmyadmin-devel] Logical error in assessing privileges?

Marc Delisle marc at infomarc.info
Tue Oct 14 14:08:34 CEST 2014


Madhura Jayaratne a écrit :
> Hi all,
> 
> Following queries are used to assess whether the logged in user has super,
> create user and grant privileges respectively. See [1]
> 
> SELECT 1 FROM mysql.user LIMIT 1
> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE =
> 'CREATE USER' LIMIT 1
> SELECT 1 FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE IS_GRANTABLE = 'YES'
> LIMIT 1
> 
> However, if I create a user with all global privileges except for 'GRANT',
> 'SUPER', and 'CREATE USER' privileges all the above queries return 1 since
> the queries does not check for the grantee column. Rows corresponding to
> root user make all these queries return 1.
> 
> This obviously looks a bug to me. I'm writing to make sure that I'm not
> missing out on something obvious.
> 
> [1]
> https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/DatabaseInterface.class.php#L1917

Yes, this looks like a bug.

-- 
Marc Delisle (phpMyAdmin)




More information about the Developers mailing list