#At file:///home/tsmith/m/bzr/bugteam/b35106-50/ based on revid:timothy.smith@stripped
2835 Timothy Smith 2009-10-30
Bug#48031: mysql_secure_installation -- bash bug regarding passwords with
special chars
Fix the escaping / quoting problem in the Perl version of this script, too.
The Perl version is packaged with the Windows binaries and suffered from
most of the same problems as the sh version.
modified:
scripts/mysql_secure_installation.pl.in
=== modified file 'scripts/mysql_secure_installation.pl.in'
--- a/scripts/mysql_secure_installation.pl.in 2009-10-30 20:28:33 +0000
+++ b/scripts/mysql_secure_installation.pl.in 2009-10-30 23:29:46 +0000
@@ -108,6 +108,15 @@ sub prepare {
}
}
+# Simple escape mechanism, suitable for two contexts:
+# - single-quoted SQL strings
+# - single-quoted option values on the right hand side of = in my.cnf
+sub basic_single_escape {
+ my ($str) = @_;
+ $str =~ s/([\'])/\\$1/g;
+ return $str;
+}
+
sub do_query {
my $query = shift;
write_file($command, $query);
@@ -119,11 +128,12 @@ sub do_query {
sub make_config {
my $password = shift;
+ my $esc_pass = basic_single_escape($rootpass);
write_file($config,
"# mysql_secure_installation config file",
"[mysql]",
"user=root",
- "password=$rootpass");
+ "password='$esc_pass'");
}
sub get_root_password {
@@ -165,8 +175,8 @@ sub set_root_password {
last;
}
- # FIXME: Quote password1 properly for SQL
- do_query("UPDATE mysql.user SET Password=PASSWORD('$password1') WHERE User='root';")
+ my $esc_pass = basic_single_escape($password1);
+ do_query("UPDATE mysql.user SET Password=PASSWORD('$esc_pass') WHERE User='root';")
or die "Password update failed!\n";
print "Password updated successfully!\n";
Attachment: [text/bzr-bundle] bzr/timothy.smith@sun.com-20091030232946-549055arhdg3azc3.bundle
| Thread |
|---|
| • bzr commit into mysql-5.0-bugteam branch (timothy.smith:2835) Bug#48031 | Timothy Smith | 31 Oct |
