Hi, Nikita, ok to push under condition that you do the change as below, if it's applicable. On Jan 05, Nikita Malyavin wrote:

revision-id: dc50afee924 (mariadb-11.3.1-13-gdc50afee924) parent(s): 080d8c3bd8f author: Nikita Malyavin committer: Nikita Malyavin timestamp: 2024-01-05 00:07:06 +0100 message:

MDEV-32501 KEY_PERIOD_USAGE reveals information to unprivileged user

Restrict access to KEY_PERIOD_USAGE: show the constraint record iff any non-select privilege on any table column is granted.

Also drop the unprivileged user in the end of test and add merge anchor.

diff --git a/sql/sql_show.cc b/sql/sql_show.cc index 95a9d3647b0..e5516466e20 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -7798,6 +7798,12 @@ int get_schema_key_period_usage_record(THD *thd, TABLE_LIST *tables, if (!period_name) return 0;

+#ifndef NO_EMBEDDED_ACCESS_CHECKS + check_grant(thd, TABLE_ACLS, tables, 1, 1, 1); + if ((tables->grant.all_privilege() & ~SELECT_ACL & TABLE_ACLS) == NO_ACL) + return 0; +#endif

Compare with get_schema_key_column_usage_record() above your get_schema_key_period_usage_record(). Perhaps you can also check `thd->col_access` and avoid check_grant()?

bool err= false; for (uint k= 0; !err && k < keys_total; k++) {

Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org