MySQL Bugs: #106631: MySQL ODBC Connector hangs in SQLDriverConnector if password contains '}'

Bug #106631	MySQL ODBC Connector hangs in SQLDriverConnector if password contains '}'
Submitted:	3 Mar 2022 14:53	Modified:	10 Jun 2022 17:39
Reporter:	Arthur Adolfo	Email Updates:
Status:	Closed	Impact on me:	None
Category:	Connector / ODBC	Severity:	S2 (Serious)
Version:	8.0.28	OS:	SUSE
Assigned to:		CPU Architecture:	Any

Description:
The MySQL ODBC Connector is hanging when PWD parameter from connection string is escaped with {} and the PWD value contains }. 

For general ODBC drivers, the } character should be escaped by doubling it: ...;PWD={some}}password};...

It seems that MySQL ODBC Connector is not able to handle the parsing and it is hanging.

If the PWD is not escaped with {}, it works well. eg. ...;PWD=some}password;...

The error is happening with the latest community driver and is reproducible using isql -k command.

How to repeat:
Run:

isql -k "DRIVER={/driver/path/libmyodbc8a.so};SERVER={host.docker.internal};PORT=3306;UID={root};PWD={some}}password};DATABASE={mysql};" -v

The isql command will hang. This other command will hang as well (not doubling } in the password):

Run isql -k "DRIVER={/driver/path/libmyodbc8a.so};SERVER={host.docker.internal};PORT=3306;UID={root};PWD={some}password};DATABASE={mysql};" -v

Suggested fix:
Handle correctly the parsing of double } when PWD value is escaped with {}.

Hello Arthur Adolfo,

Thank you for the bug report .
Imho this is duplicate of Bug #76310, please see Bug #76310.
Quoting  Bogdan Degtyariov's comment  from  Bug #76310

Unfortunately, the curly braces symbols cannot be used in the passwords.
The ODBC driver manager would not allow that even if such possibility exists for the passwords set to MySQL Server users.
Please note it is not a limitation of MySQL ODBC Driver, but the Windows ODBC Driver Manager.

Regards,
Ashwini Patil

"Unfortunately, the curly braces symbols cannot be used in the passwords.
The ODBC driver manager would not allow that even if such possibility exists for the passwords set to MySQL Server users.
Please note it is not a limitation of MySQL ODBC Driver, but the Windows ODBC Driver Manager."

This is not true. If you have a closing curly brace in a password you simply double it and the ODBC driver will interpret it as a single curly brace. You can verify this with the MSSQL ODBC driver.

Example: If the password is "12}34" the connection string should contain "12}}34".

Here is the ODBC connection string format:

https://docs.microsoft.com/en-us/openspecs/sql_server_protocols/ms-odbcstr/55953f0e-2d30-4...

Note that escaped right curly braces are allowed.

First, I am seeing this behaviour on Linux, so Windows ODBC Manager is not used.
Second, as Pierre said, passwords with curly braces are allowed when we enclose it between {} in connection string. The problem is that MySQL driver is not recognizing }} for escaping } inside {} clause.

Please reopen the bug and try to fix it.

Thanks,
Arthur.

Bug #106789 marked as duplicate of this one

Hello Arthur Adolfo,

Thank you for the feedback.
Verified as described.

regards,
Umesh

Hi Umesh,

Thank you for your reply. I saw that the status of the bug is 'Verified'. What does it mean? Will someone work on this to fix the problem? Is there any estimate time for delivery? My company's product uses MySQL ODBC driver to connect with MySQL databases and this password limitation is affecting our customers.

Thanks,
Arthur.

Hello Arthur,

>>Thank you for your reply. I saw that the status of the bug is 'Verified'. What does it mean? Will someone work on this to fix the problem? 

It means that this bug report is accepted by the verifier as a real bug and we are able to repeat the described problem at our end. Once a bug is *Verified* then it goes to developments queue. I'm sorry but we are prohibited from discussing ETA on bug fixes/releases. Once this issue is fixed then more details would appear here and in respective versions change log - https://dev.mysql.com/doc/relnotes/connector-odbc/en/news-8-0.html

regards,
Umesh

Posted by developer:
 
ODBC driver is now handling the password containing escaped curly brackets as follows:

mysql> create user 'testuser'@'%' identified by '{some}{password';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on *.* to 'testuser'@'%';
Query OK, 0 rows affected (0.00 sec)

$ isql -k "DRIVER={/....../lib/libmyodbc8w.so};SERVER={localhost};UID={testuser};PWD={{{some}}{{password};DATABASE=test" -v
+---------------------------------------+
| Connected!                            |
....

Hi, does the fix is already in version 8.0.29? I tested with version 8.0.29 (https://dev.mysql.com/get/Downloads/Connector-ODBC/8.0/mysql-connector-odbc-8.0.29-linux-g...) and it is still not working, but now the driver doesn't hang anymore.

mysql> create user 'testuser3'@'%' identified by '{some}{password';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on *.* to 'testuser3'@'%';
Query OK, 0 rows affected (0.01 sec)

$ isql -k "DRIVER={/mysql-connector-odbc-8.0.29-linux-glibc2.12-x86-64bit/lib/libmyodbc8w.so};SERVER={localhost};UID={testuser3};PWD={{{some}}{{password};DATABASE=mysql" -v
[S1000][MySQL][ODBC 8.0(w) Driver]Access denied for user 'testuser3'@'127.0.0.1' (using password: YES)
[ISQL]ERROR: Could not SQLDriverConnect

Left curly braces should not be escaped, only right curly braces.

Refer to the format here:
https://docs.microsoft.com/en-us/openspecs/sql_server_protocols/ms-odbcstr/55953f0e-2d30-4...

Hi Pierre,

Tries escaping only right curly braces, still not working:

$ isql -k "DRIVER={/mysql-connector-odbc-8.0.29-linux-glibc2.12-x86-64bit/lib/libmyodbc8a.so};SERVER={localhost};UID={testuser3};PWD={{some}}{password};DATABASE=mysql" -v
[S1000][MySQL][ODBC 8.0(a) Driver]Access denied for user 'testuser3'@'127.0.0.1' (using password: YES)
[ISQL]ERROR: Could not SQLDriverConnect

My response was directed at Bogdan. I notice in the example he gave that the left curly braces are also escaped. That is not correct according to the ODBC connection string format posted Microsoft's website.

Hi Pierre, Arthur,

Sorry for the confusion, the fix has been pushed into the source tree only.
It has not been released yet and the version 8.0.29 still contains the bug.

Sorry for the inconvenience and thanks for your patience.

Hi Bogdan,

Left curly braces should not be escaped, according to the documentation from Microsoft:

https://docs.microsoft.com/en-us/openspecs/sql_server_protocols/ms-odbcstr/55953f0e-2d30-4...

The example you gave of the escaping syntax thus appears incorrect.

Pierre

Pierre,

you are quite right, thank for bringing this point out.
The patch needs to be re-worked. Otherwise, it will be non-compliant to ODBC Connection String Format described by Microsoft.

Changed the way the driver handles the curly brackets escaping:

mysql> create user 'testuser'@'%' identified by '{some}{password';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on *.* to 'testuser'@'%';
Query OK, 0 rows affected (0.00 sec)

$ isql -k "DRIVER={/....../lib/libmyodbc8w.so};SERVER={localhost};UID={testuser};PWD={{some}}{password};DATABASE=test" -v
+---------------------------------------+
| Connected!                            |
....

Posted by developer:
 
Fixed as of the upcoming MySQL Connector/ODBC 8.0.30 release, and here's the proposed changelog entry from the documentation team:

Password parameters escaped with curly braces did not escape right curly
braces in the password value.

Thank you for the bug report and persistent discussion.