firebird icon indicating copy to clipboard operation
firebird copied to clipboard
verified publisher icon FirebirdSQL

Bug: Missing privilege checks for the COMMENT ON PARAMETER command on functions in packages

Open fuboat opened this issue 1 month ago • 0 comments

Summary

The privilege checks for the COMMENT ON PARAMETER command on functions in packages are missing. Reproduced on firebirdsql/firebird:latest (LI-V5.0.3.1683): a low-privilege user u1 can comment on package functions' arguments created by SYSDBA.

Environment

  • Firebird LI-V5.0.3.1683 (image firebirdsql/firebird:latest; /opt/firebird/bin/firebird -z shows Firebird TCP/IP server version LI-V5.0.3.1683 Firebird 5.0)
  • Client: isql

Reproduction steps

  1. (If empty environment) create a test DB as SYSDBA and connect.

  2. Connect as SYSDBA and create a package with a function and an empty user:

-- create a package with a function
SET TERM ^;
CREATE PACKAGE APP_VAR AS
BEGIN
  FUNCTION GET_DATEBEGIN(arg1 VARCHAR(20)) RETURNS DATE DETERMINISTIC;
END
^
-- create an empty user
CREATE USER u1 PASSWORD 'u1pass';
COMMIT;
  1. Reconnect as u1 and run the following commands (the first SELECT command will fail due to no permission, but the COMMENT ON command will be executed, which seems a bug):
SELECT APP_VAR.GET_DATEBEGIN('100') from RDB$DATABASE; -- will fail as expected
COMMENT ON PARAMETER APP_VAR.GET_DATEBEGIN.ARG1 IS 'Unauthorized COMMENT Command'; -- should fail, but succeed
COMMIT;

-- show the modified comment
SELECT
    TRIM(RDB$ARGUMENT_NAME) AS PARAMETER_NAME,
    CAST(RDB$DESCRIPTION AS VARCHAR(255)) AS "COMMENT"
FROM
    RDB$FUNCTION_ARGUMENTS
WHERE
    TRIM(RDB$PACKAGE_NAME) = 'APP_VAR'
    AND TRIM(RDB$FUNCTION_NAME) = 'GET_DATEBEGIN';

Expected result

The COMMENT ON command should fail, since the user u1 does not have the ALTER privilege for the target function.

Actual result

The COMMENT ON command succeeds.

SQL> select APP_VAR.GET_DATEBEGIN('100') from RDB$DATABASE;
Statement failed, SQLSTATE = 28000
no permission for EXECUTE access to PACKAGE APP_VAR
-Effective user is GRIFFIN_TEST_USER

SQL> COMMENT ON PARAMETER APP_VAR.GET_DATEBEGIN.ARG1 IS 'Unauthorized COMMENT Command';
SQL> COMMIT;

SQL> SELECT
CON>     TRIM(RDB$ARGUMENT_NAME) AS PARAMETER_NAME,
CON>     CAST(RDB$DESCRIPTION AS VARCHAR(255)) AS "COMMENT"
CON> FROM
CON>     RDB$FUNCTION_ARGUMENTS
CON> WHERE
CON>     TRIM(RDB$PACKAGE_NAME) = 'APP_VAR'
CON>     AND TRIM(RDB$FUNCTION_NAME) = 'GET_DATEBEGIN';
PARAMETER_NAME                           COMMENT
======================================   ======================================                                                                                                                                   
ARG1                                     Unauthorized COMMENT Command

fuboat avatar Nov 19 '25 16:11 fuboat