MySQL Bugs: #27884: mysql --html does not quote HTML special characters in output

Bug #27884	mysql --html does not quote HTML special characters in output
Submitted:	17 Apr 2007 17:06	Modified:	16 Dec 2009 16:33
Reporter:	Thomas Henlich
Status:	Closed
Category:	Client	Severity:	S3 (Non-critical)
Version:	5.0.37, 5.0.26, 5.0.45, 5.0.66, 5.0.67	OS:	Any
Assigned to:	Jim Winstead	Target Version:	5.0+
Triage:	Triaged: D2 (Serious)

Description:
The mysql command-line client does not quote HTML special characters like & < > " in its
output. This allows an attacker who is able to write data into a table to inject
potentially dangerous code, e. g. Javascript, into the output.

How to repeat:
c:\> mysql --html -execute "select '<a>'"

<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>

Suggested fix:
The quoting of special characters should be the same as for XML output, e. g.:
c:\> mysql --xml -execute "select 'b<a>'"

<?xml version="1.0"?>

<resultset statement="select 'b&lt;a&gt;'
">
  <row>
	<field name="b&lt;a&gt;">b&lt;a&gt;</field>
  </row>
</resultset>

Thank you for a bug report. Verified just as described.

The option should read --execute and not -execute

Patch to fix lack of HTML encoding

Attachment: bug27884.patch (text/plain), 1.70 KiB.

Request to review/push the patch.

Any version of MySQL could be impacted by this bug.

Good, except I would also include "apos" in the predef entity list.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/72932

2875 Jim Winstead	2009-04-28
      Bug #27884: mysql --html does not quote HTML special characters in output
      
        Fix encoding of field values and names in HTML output from mysql client.
      modified:
        client/mysql.cc
        mysql-test/r/mysql.result
        mysql-test/t/mysql.test

Queued to lp:~mysql-cteam/mysql-server/5.1.

This is queued for 5.1 but will it be fixed in 5.0? There was a lot of customer demand in
this as well as the fact it had a CVE, even if the impact is probably reasonably low.

Pushed into 5.1.36 (revid:joro@sun.com-20090528073639-yohsb4q1jzg7ycws) (version source
revid:mats@sun.com-20090511132802-nnkiyb2huih1tklz) (merge vers: 5.1.35) (pib:6)

Noted in 5.1.36 changelog.

Output from mysql --html did not encode the <, >, or & characters.

Setting to NDI pending push into 6.0.x.

Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version
source revid:jimw@mysql.com-20090505173706-9ze3q4qzngw8kt2b) (merge vers: 6.0.12-alpha)
(pib:11)

Repeat; will this be fixed in 5.0 => lots of customers raised concern about 5.0
pecificlaly

Noted in 5.4.4 changelog.

Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.

Ignore previous comment about 5.4.2.

Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)

Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc)
(version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers:
5.1.37-ndb-6.3.27) (pib:11)

Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4)
(version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers:
5.1.37-ndb-6.2.19) (pib:11)

Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)

[18 Jun 2:56] Trent Lloyd
Repeat; will this be fixed in 5.0 => lots of customers raised concern about 5.0
specifically

Please, re-triage (it is more like I2/P2). Also note that target was set as 5.0+, but
development closed the bug without fixing in 5.0! This should never happen.

Will this be patched at all on 5.0 +?

The 5.4 fix has been pushed to 5.4.2.

Will this be patched at all on 5.0 +?

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/91358

2850 Jim Winstead	2009-11-23
      Backport fix for Bug #27884.

Fix is now queued to 5.0-bugteam.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/91917

2854 Georgi Kodinov	2009-11-27
      Addendum to Bug #27884: fixed test incompatibility on windows.

Pushed into 5.0.89 (revid:joro@sun.com-20091202075830-mzl79q7mc1v72pf1) (version source
revid:joro@sun.com-20091127134654-a2nx7yc8k02zcv0w) (merge vers: 5.0.89) (pib:13)

Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source
revid:joro@sun.com-20091127141724-8aag7bic3nhj67ld) (merge vers: 5.1.42) (pib:13)

Noted in 5.0.89 changelog.

Already fixed in 5.1.x.

Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version
source revid:alik@sun.com-20091214191830-wznm8245ku8xo702) (merge vers: 6.0.14-alpha)
(pib:14)

Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version
source revid:alexey.kopytov@sun.com-20091201145844-39gy4wmejbisbxac) (merge vers:
5.5.0-beta) (pib:14)

Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version
source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta)
(pib:14)

Noted in 5.5.1, 6.0.14 changelogs.

This was reported as CVE-2008-4456 .