[MDEV-10527] dpkg configuration script does not escape input Created: 2016-08-10 Updated: 2018-08-05 Resolved: 2018-08-05 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Packaging, Platform Debian |
| Affects Version/s: | 5.5, 10.0, 10.1 |
| Fix Version/s: | N/A |
| Type: | Bug | Priority: | Trivial |
| Reporter: | Alexander Schittler | Assignee: | Otto Kekäläinen |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | packaging | ||
| Environment: |
Ubuntu Xenial |
||
| Description |
|
The configuration script invoked by `dpkg` does not do any escaping of the root password, failing the installation if certain characters are used. Sample input (generated by `pwgen`): Hyw4Go,:ItWku*N"%|3JE#`5HzKzW{Uq Outcome: |
| Comments |
| Comment by Elena Stepanova [ 2016-08-14 ] | |
|
Thanks for the report. Reproducible on current 10.1 (10.1.16). I didn't try other versions, but from the look of it, they should also be affected, including 10.2. The postinst script does
where $rootpw is what the dialog returns. So, in this case the double-quote symbol is the issue. As I understand, modern packages provided by Debian shouldn't be affected. | |
| Comment by Otto Kekäläinen [ 2016-11-25 ] | |
|
What do you suggest as the solution? Using single quotes will output '$rootpw' instead of the variable contents. And what is the failure scenario, how many need double quotes in their passwords? This will anyway be fixed once | |
| Comment by Otto Kekäläinen [ 2018-08-05 ] | |
|
Closing issue as not relevant, since users don't need quote marks in their passwords and the whole maintainerscript will have this section removed anyway now when we are finally going to include |