Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Minor
-
Resolution: Unresolved
-
5.5.41, 10.0.15, 10.2.3
-
Debian
Description
Package installation of MariaDB server using Debian packages fails if a double quotation mark character (") is used on the root password due to a lack of input sanitization.
As a result, the post install script from the mariadb-server-. package will try to run a query such as :
UPDATE user SET password=PASSWORD("wx"yz") WHERE user='root';
|
Which is invalid and will throw an incorrect error such as :
ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'yz") WHERE user='root';' at line 1
|
The incriminated code is located on mariadb-server-10.0.postinst : https://github.com/ottok/mariadb-10.0/blob/795666b08a79cfc418d9c6e7fac690ccdea41539/debian/mariadb-server-10.0.postinst#L43
The query is generated on line 43 using the password from $rootpw took at line 183 from debconf or the interactive dialog without doing any sanitization or checks.
Forbidding some special character on the interactive dialog would be a good think (if possible) as using some special characters such as a single quotation mark or a backtick might be problematic at some other points : MDEV-4664.
Another simple solution for this specific bug would be to escape double quotation marks from the $rootpw variable before generating the query at line 41.
– This bug was originally reported on IRC by rachie
Attachments
Issue Links
- relates to
-
-
- Closed
-
Activity
There is a fairly rugged form of escaping in https://github.com/MariaDB/mariadb-docker/blob/013d851b19cee4a109c849bb45ae08ce4c974ac4/docker-entrypoint.sh#L266
|
ruggard escaping |
# SQL escape the string $1 to be placed in a string literal.
|
# escape, \ followed by '
|
docker_sql_escape_string_literal() {
|
local newline=$'\n'
|
local escaped=${1//\\/\\\\}
|
escaped="${escaped//$newline/\\n}"
|
echo "${escaped//\'/\\\'}"
|
}
|
|
|
rootPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}" )
|
+
|
required absence of NO_BACKSLASH_ESCAPES |
SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
|
+
|
shell construct and --binary mysql client mode |
mysql --database=mysql --binary-mode <<-EOSQL
|
SET @@SESSION.SQL_LOG_BIN=0;
|
-- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set
|
SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
|
SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${rootPasswordEscaped}') ;
|
EOSQL
|
Verified in 10.2 with latest internal build http://buildbot.askmonty.org/buildbot/builders/kvm-deb-trusty-amd64/builds/3854
revision c6713f651f5a50709273d14ce5732f7ef3409737