[MDEV-7414] Debian package installation of MariaDB server fails if a double quotation mark is used on the root password Created: 2015-01-06  Updated: 2022-09-08

Status: Confirmed
Project: MariaDB Server
Component/s: Packaging, Platform Debian
Affects Version/s: 5.5.41, 10.0.15, 10.2.3
Fix Version/s: 5.5

Type: Bug Priority: Minor
Reporter: Jean Weisbuch Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: debian, packaging
Environment:

Debian

Issue Links:
Relates
relates to MDEV-4664 mysql_upgrade crashes if root's passw... Closed

 Description   

Package installation of MariaDB server using Debian packages fails if a double quotation mark character (") is used on the root password due to a lack of input sanitization.

As a result, the post install script from the mariadb-server-. package will try to run a query such as :

UPDATE user SET password=PASSWORD("wx"yz") WHERE user='root';

Which is invalid and will throw an incorrect error such as :

ERROR: 1064  You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'yz") WHERE user='root';' at line 1

The incriminated code is located on mariadb-server-10.0.postinst : https://github.com/ottok/mariadb-10.0/blob/795666b08a79cfc418d9c6e7fac690ccdea41539/debian/mariadb-server-10.0.postinst#L43
The query is generated on line 43 using the password from $rootpw took at line 183 from debconf or the interactive dialog without doing any sanitization or checks.

Forbidding some special character on the interactive dialog would be a good think (if possible) as using some special characters such as a single quotation mark or a backtick might be problematic at some other points : MDEV-4664.

Another simple solution for this specific bug would be to escape double quotation marks from the $rootpw variable before generating the query at line 41.

This bug was originally reported on IRC by rachie

 Comments   
Comment by Andrii Nikitin (Inactive) [ 2016-11-02 ]

Verified in 10.2 with latest internal build http://buildbot.askmonty.org/buildbot/builders/kvm-deb-trusty-amd64/builds/3854
revision c6713f651f5a50709273d14ce5732f7ef3409737

Comment by Daniel Black [ 2022-01-29 ]

There is a fairly rugged form of escaping in https://github.com/MariaDB/mariadb-docker/blob/013d851b19cee4a109c849bb45ae08ce4c974ac4/docker-entrypoint.sh#L266

ruggard escaping

 
# SQL escape the string $1 to be placed in a string literal.
 
# escape, \ followed by '
 
docker_sql_escape_string_literal() {
 
	local newline=$'\n'
 
	local escaped=${1//\\/\\\\}
 
	escaped="${escaped//$newline/\\n}"
 
	echo "${escaped//\'/\\\'}"
 
}
 
 
 
rootPasswordEscaped=$( docker_sql_escape_string_literal "${MARIADB_ROOT_PASSWORD}" )

+

required absence of NO_BACKSLASH_ESCAPES

 
SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');

+

shell construct and --binary mysql client mode

 
mysql --database=mysql --binary-mode <<-EOSQL
 
		SET @@SESSION.SQL_LOG_BIN=0;
 
                -- we need the SQL_MODE NO_BACKSLASH_ESCAPES mode to be clear for the password to be set
 
		SET @@SESSION.SQL_MODE=REPLACE(@@SESSION.SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');
 
		SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${rootPasswordEscaped}') ;
 
EOSQL

Generated at Thu Feb 08 07:19:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.