Bug #106631 MySQL ODBC Connector hangs in SQLDriverConnector if password contains '}'
Submitted: 3 Mar 2022 14:53 Modified: 10 Jun 2022 17:39
Reporter: Arthur Adolfo Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / ODBC Severity:S2 (Serious)
Version:8.0.28 OS:SUSE
Assigned to: CPU Architecture:Any

[3 Mar 2022 14:53] Arthur Adolfo
Description:
The MySQL ODBC Connector is hanging when PWD parameter from connection string is escaped with {} and the PWD value contains }. 

For general ODBC drivers, the } character should be escaped by doubling it: ...;PWD={some}}password};...

It seems that MySQL ODBC Connector is not able to handle the parsing and it is hanging.

If the PWD is not escaped with {}, it works well. eg. ...;PWD=some}password;...

The error is happening with the latest community driver and is reproducible using isql -k command.

How to repeat:
Run:

isql -k "DRIVER={/driver/path/libmyodbc8a.so};SERVER={host.docker.internal};PORT=3306;UID={root};PWD={some}}password};DATABASE={mysql};" -v

The isql command will hang. This other command will hang as well (not doubling } in the password):

Run isql -k "DRIVER={/driver/path/libmyodbc8a.so};SERVER={host.docker.internal};PORT=3306;UID={root};PWD={some}password};DATABASE={mysql};" -v

Suggested fix:
Handle correctly the parsing of double } when PWD value is escaped with {}.
[16 Mar 2022 14:48] MySQL Verification Team
Hello Arthur Adolfo,

Thank you for the bug report .
Imho this is duplicate of Bug #76310, please see Bug #76310.
Quoting  Bogdan Degtyariov's comment  from  Bug #76310

Unfortunately, the curly braces symbols cannot be used in the passwords.
The ODBC driver manager would not allow that even if such possibility exists for the passwords set to MySQL Server users.
Please note it is not a limitation of MySQL ODBC Driver, but the Windows ODBC Driver Manager.

Regards,
Ashwini Patil
[16 Mar 2022 15:06] Pierre le Riche
"Unfortunately, the curly braces symbols cannot be used in the passwords.
The ODBC driver manager would not allow that even if such possibility exists for the passwords set to MySQL Server users.
Please note it is not a limitation of MySQL ODBC Driver, but the Windows ODBC Driver Manager."

This is not true. If you have a closing curly brace in a password you simply double it and the ODBC driver will interpret it as a single curly brace. You can verify this with the MSSQL ODBC driver.

Example: If the password is "12}34" the connection string should contain "12}}34".
[16 Mar 2022 15:11] Pierre le Riche
Here is the ODBC connection string format:

https://docs.microsoft.com/en-us/openspecs/sql_server_protocols/ms-odbcstr/55953f0e-2d30-4...

Note that escaped right curly braces are allowed.
[16 Mar 2022 15:19] Arthur Adolfo
First, I am seeing this behaviour on Linux, so Windows ODBC Manager is not used.
Second, as Pierre said, passwords with curly braces are allowed when we enclose it between {} in connection string. The problem is that MySQL driver is not recognizing }} for escaping } inside {} clause.

Please reopen the bug and try to fix it.

Thanks,
Arthur.
[22 Mar 2022 11:54] MySQL Verification Team
Bug #106789 marked as duplicate of this one
[22 Mar 2022 11:55] MySQL Verification Team
Hello Arthur Adolfo,

Thank you for the feedback.
Verified as described.

regards,
Umesh
[24 Mar 2022 13:40] Arthur Adolfo
Hi Umesh,

Thank you for your reply. I saw that the status of the bug is 'Verified'. What does it mean? Will someone work on this to fix the problem? Is there any estimate time for delivery? My company's product uses MySQL ODBC driver to connect with MySQL databases and this password limitation is affecting our customers.

Thanks,
Arthur.
[24 Mar 2022 16:58] MySQL Verification Team
Hello Arthur,

>>Thank you for your reply. I saw that the status of the bug is 'Verified'. What does it mean? Will someone work on this to fix the problem? 

It means that this bug report is accepted by the verifier as a real bug and we are able to repeat the described problem at our end. Once a bug is *Verified* then it goes to developments queue. I'm sorry but we are prohibited from discussing ETA on bug fixes/releases. Once this issue is fixed then more details would appear here and in respective versions change log - https://dev.mysql.com/doc/relnotes/connector-odbc/en/news-8-0.html

regards,
Umesh
[12 May 2022 9:15] Bogdan Degtyariov
Posted by developer:
 
ODBC driver is now handling the password containing escaped curly brackets as follows:

mysql> create user 'testuser'@'%' identified by '{some}{password';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on *.* to 'testuser'@'%';
Query OK, 0 rows affected (0.00 sec)

$ isql -k "DRIVER={/....../lib/libmyodbc8w.so};SERVER={localhost};UID={testuser};PWD={{{some}}{{password};DATABASE=test" -v
+---------------------------------------+
| Connected!                            |
....
[18 May 2022 14:48] Arthur Adolfo
Hi, does the fix is already in version 8.0.29? I tested with version 8.0.29 (https://dev.mysql.com/get/Downloads/Connector-ODBC/8.0/mysql-connector-odbc-8.0.29-linux-g...) and it is still not working, but now the driver doesn't hang anymore.

mysql> create user 'testuser3'@'%' identified by '{some}{password';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on *.* to 'testuser3'@'%';
Query OK, 0 rows affected (0.01 sec)

$ isql -k "DRIVER={/mysql-connector-odbc-8.0.29-linux-glibc2.12-x86-64bit/lib/libmyodbc8w.so};SERVER={localhost};UID={testuser3};PWD={{{some}}{{password};DATABASE=mysql" -v
[S1000][MySQL][ODBC 8.0(w) Driver]Access denied for user 'testuser3'@'127.0.0.1' (using password: YES)
[ISQL]ERROR: Could not SQLDriverConnect
[18 May 2022 15:10] Pierre le Riche
Left curly braces should not be escaped, only right curly braces.

Refer to the format here:
https://docs.microsoft.com/en-us/openspecs/sql_server_protocols/ms-odbcstr/55953f0e-2d30-4...
[18 May 2022 16:34] Arthur Adolfo
Hi Pierre,

Tries escaping only right curly braces, still not working:

$ isql -k "DRIVER={/mysql-connector-odbc-8.0.29-linux-glibc2.12-x86-64bit/lib/libmyodbc8a.so};SERVER={localhost};UID={testuser3};PWD={{some}}{password};DATABASE=mysql" -v
[S1000][MySQL][ODBC 8.0(a) Driver]Access denied for user 'testuser3'@'127.0.0.1' (using password: YES)
[ISQL]ERROR: Could not SQLDriverConnect
[18 May 2022 16:43] Pierre le Riche
My response was directed at Bogdan. I notice in the example he gave that the left curly braces are also escaped. That is not correct according to the ODBC connection string format posted Microsoft's website.
[2 Jun 2022 8:29] Bogdan Degtyariov
Hi Pierre, Arthur,

Sorry for the confusion, the fix has been pushed into the source tree only.
It has not been released yet and the version 8.0.29 still contains the bug.

Sorry for the inconvenience and thanks for your patience.
[2 Jun 2022 8:35] Pierre le Riche
Hi Bogdan,

Left curly braces should not be escaped, according to the documentation from Microsoft:

https://docs.microsoft.com/en-us/openspecs/sql_server_protocols/ms-odbcstr/55953f0e-2d30-4...

The example you gave of the escaping syntax thus appears incorrect.

Pierre
[3 Jun 2022 13:13] Bogdan Degtyariov
Pierre,

you are quite right, thank for bringing this point out.
The patch needs to be re-worked. Otherwise, it will be non-compliant to ODBC Connection String Format described by Microsoft.
[6 Jun 2022 8:58] Bogdan Degtyariov
Changed the way the driver handles the curly brackets escaping:

mysql> create user 'testuser'@'%' identified by '{some}{password';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on *.* to 'testuser'@'%';
Query OK, 0 rows affected (0.00 sec)

$ isql -k "DRIVER={/....../lib/libmyodbc8w.so};SERVER={localhost};UID={testuser};PWD={{some}}{password};DATABASE=test" -v
+---------------------------------------+
| Connected!                            |
....
[10 Jun 2022 17:39] Philip Olson
Posted by developer:
 
Fixed as of the upcoming MySQL Connector/ODBC 8.0.30 release, and here's the proposed changelog entry from the documentation team:

Password parameters escaped with curly braces did not escape right curly
braces in the password value.

Thank you for the bug report and persistent discussion.