Menu
▾
▴
#3922 (ok 4.0.4) User privileges - wildcards unescaped in db names
The fix that was applied for bug #3827 breaks important functionality. Because the table-names are now un-escaped mysql actually interprets the wildcards!
This occurs for both the tables from the select (eg my_db) as the manually entered filter (eg. '%_%'). PMA now unescapes these sequences; leading to unwanted behaviour:
users having access to 'my_db' will have access to 'myDdb' as well
users having access to '%_%' will have access to any table (instead of just tables with underscores)
This will lead to security related problems.
Okay Sourceforge interprets my escape sequences; leading to a very confusing report. Please read my message in the attached screenshot so you can properly view my report!
@Spider.007
Do you mean table-names or database-names when you say they are now unescaped? Indeed the fix for 3827 created a problem by unescaping wildcards in database-names. Could you confirm if it is fixed after https://github.com/phpmyadmin/phpmyadmin/commit/63b913708ad9cf3a185850736e956acef175ce07 ? If not please describe steps to reproduce the problem..
@Atul Pratap Singh Thanks for your fix, I will import this in our testing-environment and let you know today
ah, I said table-names but did indeed mean db-names.
Your change fixed this, thanks!
Ok, marking fixed for 4.0.4. Thanks for reporting the bug!
Atul,
thanks for fixing. Recently Michal has changed the choice of status; I have marked this ticket as resolved, see http://wiki.phpmyadmin.net/pma/Issue_tracker.