Bug #36010 backslash is stripped from a password specified through .my.cnf and SET PASSWORD
Submitted: 11 Apr 2008 23:34 Modified: 16 Apr 2008 15:35
Reporter: Martin Mokrejs Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.0.56 OS:Any
Assigned to: CPU Architecture:Any

[11 Apr 2008 23:34] Martin Mokrejs 
Description:
I did report this already in the past.

mysql> SET PASSWORD FOR 'a'@'b' = PASSWORD('`!=+tO\"K#~H,j. ^_-j*5&(+J6sBw;hHNSD1xjuT/f+');

I set this into .my.cnf:

[client]
password="`!=+tO\"K#~H,j. ^_-j*5&(+J6sBw;hHNSD1xjuT/f+"
user=a

I CANNOT login using mysql which reads the password from the .my.cnf file.
I CAN login into mysql by "mysql -u a -p" but have to omit the backslash from the input password. That means mysql effectively stripped away the backslash from my password when computing the hash. Right?

I think there also used to be a problem with having single and double-quotes in the password and escaping them in the .my.cnf file. As I think of it now, I should have removed the double-quotes from around my password in the .my.cnf file. ;-)

BTW, is there a limit of how many characters are included into the final hash?
For example, first 13 characters?

How to repeat:
See above.
[12 Apr 2008 1:07] Martin Mokrejs 
BTW, the following got logged using the old and slow plaintext logging option when I attempted to run mysql_instal_db (note the backslashes in front of underscores). I will attach it as an extra file.
[12 Apr 2008 1:07] Martin Mokrejs 
mysql_install_db.log

Attachment: mysql_install_db.log (application/octet-stream, text), 11.15 KiB.
[16 Apr 2008 15:35] Susanne Ebrecht 
Martin,

Consider here that you always have to use the same encoding.

MySQL CLI expect by default an ISO encoding.

mysql> show variables like '%char%';

character_set_client Latin1

This means, the terminal what you are using should have an ISO-8859-15 or ISO-8859-1 encoding.

If your terminal has utf8 encoding then you have to use:

mysql> set names utf8;
mysql> show variables like '%char%';
character_set_client UTF8

When your terminal/environment encoding match to the client encoding, then you can start setting a password.

For connection, you always have to use the same environment encoding as you used for setting the password.

When you put the password into the my.cnf then you have to check if the my.cnf has the same encoding then the default client encoding.

Please make sure that your environment encoding is always the same as the my.cnf and encoding and that this encoding is matching to the default character_set_client value.
[3 May 2008 10:44] Sveta Smirnova 
In my opinion this is just because MySQL removed backslash like in following example:

mysql> select '\"';
+---+
| " |
+---+
| " | 
+---+
1 row in set (0.00 sec)

But this is not a bug anyway as backslash is special symbol.