Re: SET PASSWORD broken in 4.0.12 (-Max) Found the bug in sql/sql_acl.cc:1007 -- check_change_password - Michael Loftis - com.mysql.lists.bugs

13 messages in com.mysql.lists.bugsRe: SET PASSWORD broken in 4.0.12 (-M...

From	Sent On	Attachments
Michael Loftis	20 Apr 2003 13:19
Alexander Keremidarski	20 Apr 2003 16:27
Michael Loftis	20 Apr 2003 16:37
Alexander Keremidarski	20 Apr 2003 16:51
Michael Loftis	20 Apr 2003 18:58
Michael Loftis	20 Apr 2003 23:27
Sinisa Milivojevic	21 Apr 2003 04:56
Michael Loftis	21 Apr 2003 11:14
Michael Loftis	21 Apr 2003 11:32
Sinisa Milivojevic	21 Apr 2003 12:16
Michael Loftis	21 Apr 2003 12:50
Michael Loftis	21 Apr 2003 16:12
Sinisa Milivojevic	22 Apr 2003 04:04

Subject:	Re: SET PASSWORD broken in 4.0.12 (-Max) Found the bug in sql/sql_acl.cc:1007 -- check_change_password
From:	Michael Loftis (mlof...@modwest.com)
Date:	04/21/2003 11:14:56 AM
List:	com.mysql.lists.bugs

Look at the code though. The actual case is if the user or the host doesn't match up. and SET PASSWORD is giving it user->host.str which appears to be the IP address as a string.

It's using a different host name than the authentication system is using (because we can obviously login fine). The other thing that makes me wonder is does my_strcasecmp() do % wildcarding? If not that breaks this too.

--On Monday, April 21, 2003 2:57 PM +0300 Sinisa Milivojevic <sin...@mysql.com> wrote:

Michael Loftis writes:

And here it is in a nutshell folks. Update access to mysql table is apparently required.

Why is this the case? That code seems to need to be yanked atleast for the case of change_password/SET PASSWORD.

[skip]

Hi!

UPDATE privilege on mysql db is required ONLY if password is changed for some other user.

Otherwise there is no such requirement.

Regards,