Description:
After upgrading MySQL using the MSI installer (mysql-5.1.53-win32.msi), the path to the MySQL runtime folder was removed from the Windows system PATH variable, and replaced with "\". The correct path to MySQL's bin (typically "C:\Program Files\MySQL\MySQL Server 5.1\bin\") must be set manually after installation.

This behavior seems to have appeared sometime around version 5.1.50. 

While not primarily a security issue, placing an essentially arbitrary path ("\") into the system PATH could raise some security concerns on some systems.

How to repeat:
The system must have the path to MySQL's bin set to exhibit this behavior. The PATH can be set with START/Computer, right-click for Properties, (on some Window versions, select Advanced system settings), on the Advanced tab click on Environment Variables, under System Variable find the "path" variable, and Edit it.

The system PATH variable should contain the current path to MySQL's bin (typically "C:\Program Files\MySQL\MySQL Server 5.1\bin\").

Start a Command window (%SystemRoot%\system32\cmd.exe) and enter the PATH command to display the current system path.

Run the mysql-5.1.53-win32.msi installer with the Complete option (on updates, decline to run the configuration wizard).

Start another Command window (%SystemRoot%\system32\cmd.exe) and enter the PATH command to display the current system path. Note that the path the MySQL's bin has been replaced with "\".

Suggested fix:
Have the MSI installer place the correct path into the system PATH.

I have a comment (well .. two actually!)

1) If the installer replaces the path to ..mysql/bin with "c:\" in system PATH it is a serious issue.

2) But there is no reason why the MySQL server and other MySQL binaries should be in system PATH. The installer sets up the server with full paths to the server binary and defaults file. If user wants (for instance in order to run 'mysqldump' without first navigating to ..mysql/bin he can add himself.

So in short the installer should *never* do anything related to system PATH at all in my opinion.

Hi Peter, yes it's a serious issue.. even worse, the replace path is not "c:\" but "\". This means the root of whatever drive is currently the default (for the task) is exposed.

As for the second part of your comment, again I agree; my "Suggested fix" is incorrect. 

The installer should NOT add the MySQL bin to the Windows path, nor alter the path in any way, including the removal of the MySQL bin if it is present. 

It occurs to me that the change in the path may be some default behavior of the MSI installer..?

You will find lots of programs using the .MSI installer that do not touch system PATH. Here it does because the installer script has such code/instruction, I believe.

You have upgraded from which MySQL server version?. Thanks in advance.

The most recent upgrade was .52 - >.53.

System Path 5.5

Attachment: system_var_path.png (image/png, text), 26.98 KiB.

I couldn't repeat with 5.5.17 version (see prior attached picture). I will try 5.1.XX version thought.

Thank you for the feedback. I couldn't repeat with 5.1.59 please try this version. Thanks.

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".