Bug #27884 mysql --html does not quote HTML special characters in output
Submitted: 17 Apr 2007 15:06 Modified: 12 Mar 2010 17:55
Reporter: Thomas Henlich Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.0.37, 5.0.26, 5.0.45, 5.0.66, 5.0.67 OS:Any
Assigned to: Jim Winstead
Triage: Triaged: D2 (Serious)

[17 Apr 2007 15:06] Thomas Henlich
Description:
The mysql command-line client does not quote HTML special characters like & < > " in its output. This allows an attacker who is able to write data into a table to inject potentially dangerous code, e. g. Javascript, into the output.

How to repeat:
c:\> mysql --html -execute "select '<a>'"

<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>

Suggested fix:
The quoting of special characters should be the same as for XML output, e. g.:
c:\> mysql --xml -execute "select 'b<a>'"

<?xml version="1.0"?>

<resultset statement="select 'b&lt;a&gt;'
">
  <row>
	<field name="b&lt;a&gt;">b&lt;a&gt;</field>
  </row>
</resultset>
[17 Apr 2007 19:34] Valerii Kravchuk
Thank you for a bug report. Verified just as described.
[16 Apr 2008 12:41] Thomas Henlich
The option should read --execute and not -execute
[1 May 2008 19:32] Jim Winstead
Patch to fix lack of HTML encoding

Attachment: bug27884.patch (text/plain), 1.70 KiB.

[2 Oct 2008 6:47] Thomas Henlich
Request to review/push the patch.
[16 Oct 2008 5:11] Mikiya Okuno
Any version of MySQL could be impacted by this bug.
[6 Apr 2009 12:23] Chad MILLER
Good, except I would also include "apos" in the predef entity list.
[28 Apr 2009 17:55] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/72932

2875 Jim Winstead	2009-04-28
      Bug #27884: mysql --html does not quote HTML special characters in output
      
        Fix encoding of field values and names in HTML output from mysql client.
      modified:
        client/mysql.cc
        mysql-test/r/mysql.result
        mysql-test/t/mysql.test
[28 Apr 2009 17:56] Jim Winstead
Queued to lp:~mysql-cteam/mysql-server/5.1.
[1 May 2009 0:23] Trent Lloyd
This is queued for 5.1 but will it be fixed in 5.0? There was a lot of customer demand in this as well as the fact it had a CVE, even if the impact is probably reasonably low.
[28 May 2009 8:13] Bugs System
Pushed into 5.1.36 (revid:joro@sun.com-20090528073639-yohsb4q1jzg7ycws) (version source revid:mats@sun.com-20090511132802-nnkiyb2huih1tklz) (merge vers: 5.1.35) (pib:6)
[29 May 2009 1:31] Paul Dubois
Noted in 5.1.36 changelog.

Output from mysql --html did not encode the <, >, or & characters.

Setting to NDI pending push into 6.0.x.
[17 Jun 2009 19:21] Bugs System
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version source revid:jimw@mysql.com-20090505173706-9ze3q4qzngw8kt2b) (merge vers: 6.0.12-alpha) (pib:11)
[18 Jun 2009 0:56] Trent Lloyd
Repeat; will this be fixed in 5.0 => lots of customers raised concern about 5.0 pecificlaly
[18 Jun 2009 14:59] Paul Dubois
Noted in 5.4.4 changelog.
[12 Aug 2009 23:01] Paul Dubois
Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.
[15 Aug 2009 2:19] Paul Dubois
Ignore previous comment about 5.4.2.
[26 Aug 2009 13:45] Bugs System
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:32] Bugs System
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[24 Sep 2009 6:40] Trent Lloyd
[18 Jun 2:56] Trent Lloyd
Repeat; will this be fixed in 5.0 => lots of customers raised concern about 5.0
specifically
[24 Sep 2009 7:14] Valerii Kravchuk
Please, re-triage (it is more like I2/P2). Also note that target was set as 5.0+, but development closed the bug without fixing in 5.0! This should never happen.
[1 Oct 2009 17:47] brandon ammann
Will this be patched at all on 5.0 +?
[9 Oct 2009 1:30] Paul Dubois
The 5.4 fix has been pushed to 5.4.2.
[22 Oct 2009 17:31] brandon ammann
Will this be patched at all on 5.0 +?
[23 Nov 2009 22:39] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/91358

2850 Jim Winstead	2009-11-23
      Backport fix for Bug #27884.
[23 Nov 2009 22:46] Jim Winstead
Fix is now queued to 5.0-bugteam.
[27 Nov 2009 13:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/91917

2854 Georgi Kodinov	2009-11-27
      Addendum to Bug #27884: fixed test incompatibility on windows.
[2 Dec 2009 8:01] Bugs System
Pushed into 5.0.89 (revid:joro@sun.com-20091202075830-mzl79q7mc1v72pf1) (version source revid:joro@sun.com-20091127134654-a2nx7yc8k02zcv0w) (merge vers: 5.0.89) (pib:13)
[2 Dec 2009 8:03] Bugs System
Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source revid:joro@sun.com-20091127141724-8aag7bic3nhj67ld) (merge vers: 5.1.42) (pib:13)
[4 Dec 2009 1:45] Paul Dubois
Noted in 5.0.89 changelog.

Already fixed in 5.1.x.
[16 Dec 2009 8:34] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091214191830-wznm8245ku8xo702) (merge vers: 6.0.14-alpha) (pib:14)
[16 Dec 2009 8:42] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alexey.kopytov@sun.com-20091201145844-39gy4wmejbisbxac) (merge vers: 5.5.0-beta) (pib:14)
[16 Dec 2009 8:48] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)
[16 Dec 2009 15:33] Paul Dubois
Noted in 5.5.1, 6.0.14 changelogs.
[21 Dec 2009 21:01] James Day
This was reported as CVE-2008-4456 .
[12 Mar 2010 14:20] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:35] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:51] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)