Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7414

Debian package installation of MariaDB server fails if a double quotation mark is used on the root password



      Package installation of MariaDB server using Debian packages fails if a double quotation mark character (") is used on the root password due to a lack of input sanitization.

      As a result, the post install script from the mariadb-server-. package will try to run a query such as :

      UPDATE user SET password=PASSWORD("wx"yz") WHERE user='root';

      Which is invalid and will throw an incorrect error such as :

      ERROR: 1064  You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'yz") WHERE user='root';' at line 1

      The incriminated code is located on mariadb-server-10.0.postinst : https://github.com/ottok/mariadb-10.0/blob/795666b08a79cfc418d9c6e7fac690ccdea41539/debian/mariadb-server-10.0.postinst#L43
      The query is generated on line 43 using the password from $rootpw took at line 183 from debconf or the interactive dialog without doing any sanitization or checks.

      Forbidding some special character on the interactive dialog would be a good think (if possible) as using some special characters such as a single quotation mark or a backtick might be problematic at some other points : MDEV-4664.

      Another simple solution for this specific bug would be to escape double quotation marks from the $rootpw variable before generating the query at line 41.

      This bug was originally reported on IRC by rachie


          Issue Links



              • Assignee:
                serg Sergei Golubchik
                jb-boin Jean Weisbuch
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: