#At file:///home/tsmith/m/bzr/bugteam/b48031-50/ based on revid:alexey.kopytov@stripped
2834 Timothy Smith 2009-10-30
Bug#48031: mysql_secure_installation -- bash bug regarding passwords with
special chars
This script failed when the user tried passwords with multiple spaces, \, # or
' characters. Now proper escaping and quoting is used in all contexts.
modified:
scripts/mysql_secure_installation.sh
=== modified file 'scripts/mysql_secure_installation.sh'
--- a/scripts/mysql_secure_installation.sh 2007-01-01 04:31:23 +0000
+++ b/scripts/mysql_secure_installation.sh 2009-10-30 22:13:49 +0000
@@ -38,16 +38,26 @@ prepare() {
}
do_query() {
- echo $1 >$command
+ echo "$1" >$command
+ #sed 's,^,> ,' < $command
mysql --defaults-file=$config <$command
return $?
}
+# Simple escape mechanism, suitable for two contexts:
+# - single-quoted SQL strings
+# - single-quoted option values on the right hand side of = in my.cnf
+basic_single_escape () {
+ echo "$1" | sed 's/\(['"'"'\]\)/\\\1/g'
+}
+
make_config() {
echo "# mysql_secure_installation config file" >$config
echo "[mysql]" >>$config
echo "user=root" >>$config
- echo "password=$rootpass" >>$config
+ esc_pass=`basic_single_escape "$rootpass"`
+ echo "password='$esc_pass'" >>$config
+ #sed 's,^,> ,' < $config
}
get_root_password() {
@@ -94,7 +104,8 @@ set_root_password() {
return 1
fi
- do_query "UPDATE mysql.user SET Password=PASSWORD('$password1') WHERE User='root';"
+ esc_pass=`basic_single_escape "$password1"`
+ do_query "UPDATE mysql.user SET Password=PASSWORD('$esc_pass') WHERE User='root';"
if [ $? -eq 0 ]; then
echo "Password updated successfully!"
echo "Reloading privilege tables.."
Attachment: [text/bzr-bundle] bzr/timothy.smith@sun.com-20091030221349-2xmgttaztslwqt5w.bundle
| Thread |
|---|
| • bzr commit into mysql-5.0-bugteam branch (timothy.smith:2834) Bug#48031 | Timothy Smith | 30 Oct |
