Bug #48392 mysql_upgrade improperly escapes passwords with single quotes
Submitted: 28 Oct 2009 21:03 Modified: 15 Nov 2009 19:07
Reporter: John Lightsey Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.0.86, 5.1.42 OS:Linux
Assigned to: CPU Architecture:Any
Triage: Triaged: D2 (Serious)

[28 Oct 2009 21:03] John Lightsey
Description:
The problem seems to be more precisely in dynstr_append_os_quoted()

With /bin/sh you can't escape a single quote inside a single quoted string.

root@jd:~# sh -c "echo 'foo\'bar'"
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file

You actually have to leave the single quoted string, then escape the quote from the shell, then go back into the single quoted string..

root@jd:~# sh -c "echo 'foo'\''bar'"
foo'bar
root@jd:~#

How to repeat:
With mysql_upgrade this breaks when your password contains a single quote character.

root@jd:~# cat ~/.my.cnf 
[client]
user="root"
pass="test'1234"
root@jd:~# mysql_upgrade
Looking for 'mysql' as: mysql
Looking for 'mysqlcheck' as: mysqlcheck
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
Running 'mysqlcheck'...
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
FATAL ERROR: Upgrade failed

Strace showing the shell code:

17907 execve("/bin/sh", ["sh", "-c", "'mysql' '--no-defaults' '--user=root' '--password=test\\'1234' '--user=root'  '--database=mysql' '--batch' '--skip-force' '--silent' < sqlCb1Yum 2>&1 "], [/* 33 vars */]) = 0
[15 Nov 2009 19:07] Valeriy Kravchuk
Verified just as described, also - with 5.1.42 on Mac OS X.
[19 Jul 2013 14:56] Jeff Petersen
The issue still persists:

--
# grep \' .my.cnf 
pass="test'password"
--
# mysql_upgrade 
Looking for 'mysql' as: mysql
Looking for 'mysqlcheck' as: mysqlcheck
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
FATAL ERROR: Upgrade failed
--

Here's another report:
https://mariadb.atlassian.net/browse/MDEV-4664

May we have an update on this please?

Thanks.