Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7414

Debian package installation of MariaDB server fails if a double quotation mark is used on the root password




      Package installation of MariaDB server using Debian packages fails if a double quotation mark character (") is used on the root password due to a lack of input sanitization.

      As a result, the post install script from the mariadb-server-. package will try to run a query such as :

      UPDATE user SET password=PASSWORD("wx"yz") WHERE user='root';

      Which is invalid and will throw an incorrect error such as :

      ERROR: 1064  You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'yz") WHERE user='root';' at line 1

      The incriminated code is located on mariadb-server-10.0.postinst : https://github.com/ottok/mariadb-10.0/blob/795666b08a79cfc418d9c6e7fac690ccdea41539/debian/mariadb-server-10.0.postinst#L43
      The query is generated on line 43 using the password from $rootpw took at line 183 from debconf or the interactive dialog without doing any sanitization or checks.

      Forbidding some special character on the interactive dialog would be a good think (if possible) as using some special characters such as a single quotation mark or a backtick might be problematic at some other points : MDEV-4664.

      Another simple solution for this specific bug would be to escape double quotation marks from the $rootpw variable before generating the query at line 41.

      – This bug was originally reported on IRC by rachie


        Issue Links



              serg Sergei Golubchik
              jb-boin Jean Weisbuch
              0 Vote for this issue
              3 Start watching this issue



                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.