Icon View Incident Report

Serious Serious
Reported By: Hendrik Grutzmacher
Reported On: 4/15/2011
For: Version 2.05 Build 6
# 3428 Sensitive Queries with Nested Derived Tables Can Cause AV

I have difficulties to execute the stored following procedure. edbmgr and delphi raise access violations.

ALTER PROCEDURE P_USR_REVOKEROLEFROMUSER(IN P_USERID INTEGER, IN P_ROLEUSERID INTEGER)
BEGIN
   DECLARE curRemainingRights CURSOR FOR stmtRemainingRights;
   DECLARE cName VARCHAR;
   DECLARE nRight BIGINT;
   PREPARE stmtRemainingRights FROM
      'select name, grantedright from t_userrights ur
      where user__id in
      (
         select id from t_users
         where not id in
         (
            select id from t_users,
            (
               select roleuser__id from t_userroles
               where user__id = ? and
               not roleuser__id = ? and
               not roleuser__id is null
               union all
               select a2.roleuser__id from t_userroles a1, t_userroles a2
               where a1.roleuser__id = a2.user__id and
               a1.user__id = ? and
               not a1.roleuser__id = ? and
               not a2.roleuser__id is null
            ) a1
            where id = a1.roleuser__id
         )
         and (f_usr_userhasrole(?, id) or id = ?)
      )
      and not grantedright in
      (
         select grantedright from t_userrights
         where user__id in
         (
             select id from t_users,
            (
               select roleuser__id from t_userroles
               where user__id = ? and
               not roleuser__id = ? and
               not roleuser__id is null
               union all
               select a2.roleuser__id from t_userroles a1, t_userroles a2
               where a1.roleuser__id = a2.user__id and
               a1.user__id = ? and
               not a1.roleuser__id = ? and
               not a2.roleuser__id is null
            ) a1
            where id = a1.roleuser__id
         )
      )';
   OPEN curRemainingRights USING P_USERID, P_ROLEUSERID, P_USERID, P_ROLEUSERID, P_ROLEUSERID, P_ROLEUSERID, P_USERID, P_ROLEUSERID, P_USERID, P_ROLEUSERID;
      SET STATUS MESSAGE TO 'ab gehts';
      FETCH FIRST FROM curRemainingRights INTO cName, nRight;
      WHILE NOT EOF(curRemainingRights) DO
         SET STATUS MESSAGE TO cName;
         FETCH NEXT FROM curRemainingRights INTO cName, nRight;
      END WHILE;
   CLOSE curRemainingRights;
   UNPREPARE stmtRemainingRights;
END



Comments Comments and Workarounds
The internal temporary views used for the derived tables were being improperly freed twice. The workaround is to not request a sensitive result set.


Resolution Resolution
Fixed Problem on 4/18/2011 in version 2.05 build 7


Products Affected Products Affected
ElevateDB Additional Software and Utilities
ElevateDB DAC Client-Server
ElevateDB DAC Client-Server with Source
ElevateDB DAC Standard
ElevateDB DAC Standard with Source
ElevateDB DAC Trial
ElevateDB LCL Standard with Source
ElevateDB PHP Standard
ElevateDB PHP Standard with Source
ElevateDB PHP Trial
ElevateDB VCL Client-Server
ElevateDB VCL Client-Server with Source
ElevateDB VCL Standard
ElevateDB VCL Standard with Source
ElevateDB VCL Trial

Image