From 8e2aace9d4c0b0d403e2ab901eaf69fce0c94f91 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 28 Apr 2026 06:42:20 +0900 Subject: [PATCH] server: specify `Host` for all relevant sql queries --- .../sql/database_privilege_operations.rs | 47 +++++++++++-------- src/server/sql/user_operations.rs | 8 ++-- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/src/server/sql/database_privilege_operations.rs b/src/server/sql/database_privilege_operations.rs index afb1088..0c4c8b7 100644 --- a/src/server/sql/database_privilege_operations.rs +++ b/src/server/sql/database_privilege_operations.rs @@ -114,7 +114,7 @@ pub async fn unsafe_get_database_privileges_for_db_user_pair( connection: &mut MySqlConnection, ) -> Result, sqlx::Error> { let result = sqlx::query_as::<_, DatabasePrivilegeRow>(&format!( - "SELECT {} FROM `db` WHERE `Db` = ? AND `User` = ?", + "SELECT {} FROM `db` WHERE `Db` = ? AND `User` = ? AND `Host` = '%'", DATABASE_PRIVILEGE_FIELDS .iter() .map(|field| quote_identifier(field)) @@ -234,11 +234,12 @@ async fn unsafe_apply_privilege_diff( DatabasePrivilegesDiff::New(p) => { let tables = DATABASE_PRIVILEGE_FIELDS .iter() + .chain(&["Host"]) .map(|field| quote_identifier(field)) .join(","); let question_marks = - std::iter::repeat_n("?", DATABASE_PRIVILEGE_FIELDS.len()).join(","); + std::iter::repeat_n("?", DATABASE_PRIVILEGE_FIELDS.len() + 1).join(","); sqlx::query(format!("INSERT INTO `db` ({tables}) VALUES ({question_marks})").as_str()) .bind(p.db.to_string()) @@ -254,6 +255,7 @@ async fn unsafe_apply_privilege_diff( .bind(yn(p.create_tmp_table_priv)) .bind(yn(p.lock_tables_priv)) .bind(yn(p.references_priv)) + .bind("%") .execute(connection) .await .map(|_| ()) @@ -278,28 +280,33 @@ async fn unsafe_apply_privilege_diff( } } - sqlx::query(format!("UPDATE `db` SET {changes} WHERE `Db` = ? AND `User` = ?").as_str()) - .bind(p.select_priv.map(change_to_yn)) - .bind(p.insert_priv.map(change_to_yn)) - .bind(p.update_priv.map(change_to_yn)) - .bind(p.delete_priv.map(change_to_yn)) - .bind(p.create_priv.map(change_to_yn)) - .bind(p.drop_priv.map(change_to_yn)) - .bind(p.alter_priv.map(change_to_yn)) - .bind(p.index_priv.map(change_to_yn)) - .bind(p.create_tmp_table_priv.map(change_to_yn)) - .bind(p.lock_tables_priv.map(change_to_yn)) - .bind(p.references_priv.map(change_to_yn)) - .bind(p.db.to_string()) - .bind(p.user.to_string()) - .execute(connection) - .await - .map(|_| ()) + sqlx::query( + format!("UPDATE `db` SET {changes} WHERE `Db` = ? AND `User` = ? AND `Host` = ?") + .as_str(), + ) + .bind(p.select_priv.map(change_to_yn)) + .bind(p.insert_priv.map(change_to_yn)) + .bind(p.update_priv.map(change_to_yn)) + .bind(p.delete_priv.map(change_to_yn)) + .bind(p.create_priv.map(change_to_yn)) + .bind(p.drop_priv.map(change_to_yn)) + .bind(p.alter_priv.map(change_to_yn)) + .bind(p.index_priv.map(change_to_yn)) + .bind(p.create_tmp_table_priv.map(change_to_yn)) + .bind(p.lock_tables_priv.map(change_to_yn)) + .bind(p.references_priv.map(change_to_yn)) + .bind(p.db.to_string()) + .bind(p.user.to_string()) + .bind("%") + .execute(connection) + .await + .map(|_| ()) } DatabasePrivilegesDiff::Deleted(p) => { - sqlx::query("DELETE FROM `db` WHERE `Db` = ? AND `User` = ?") + sqlx::query("DELETE FROM `db` WHERE `Db` = ? AND `User` = ? AND `Host` = ?") .bind(p.db.to_string()) .bind(p.user.to_string()) + .bind("%") .execute(connection) .await .map(|_| ()) diff --git a/src/server/sql/user_operations.rs b/src/server/sql/user_operations.rs index b420a2b..c296a46 100644 --- a/src/server/sql/user_operations.rs +++ b/src/server/sql/user_operations.rs @@ -39,6 +39,7 @@ pub(super) async fn unsafe_user_exists( SELECT 1 FROM `mysql`.`user` WHERE `User` = ? + AND `Host` = '%' ) ", ) @@ -67,6 +68,7 @@ pub async fn complete_user_name( FROM `mysql`.`user` WHERE `User` REGEXP ? AND `User` LIKE ? + AND `Host` = '%' ", ) .bind(create_user_group_matching_regex(unix_user, group_denylist)) @@ -462,7 +464,7 @@ pub async fn list_database_users( DB_USER_SELECT_STATEMENT_MARIADB.to_string() } else { DB_USER_SELECT_STATEMENT_MYSQL.to_string() - } + "WHERE `mysql`.`user`.`User` = ?"), + } + "WHERE `mysql`.`user`.`User` = ? AND `mysql`.`user`.`Host` = '%'"), ) .bind(db_user.as_str()) .fetch_optional(&mut *connection) @@ -499,7 +501,7 @@ pub async fn list_all_database_users_for_unix_user( DB_USER_SELECT_STATEMENT_MARIADB.to_string() } else { DB_USER_SELECT_STATEMENT_MYSQL.to_string() - } + "WHERE `user`.`User` REGEXP ?"), + } + "WHERE `user`.`User` REGEXP ? AND `user`.`Host` = '%'"), ) .bind(create_user_group_matching_regex(unix_user, group_denylist)) .fetch_all(&mut *connection) @@ -534,7 +536,7 @@ pub async fn set_databases_where_user_has_privileges( r" SELECT `Db` AS `database` FROM `db` - WHERE `User` = ? AND ({}) + WHERE `User` = ? AND `Host` = '%' AND ({}) ", DATABASE_PRIVILEGE_FIELDS .iter()