Bug #66317 mysql_setpermission does not quote user names
Submitted: 10 Aug 2012 21:13 Modified: 27 Oct 2014 17:28
Reporter: Nicholas Bamber (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.0.51a-12 and onwards OS:Any
Assigned to: CPU Architecture:Any

[10 Aug 2012 21:13] Nicholas Bamber
mysql_setpermission does not quote user name.  This makes it impossible
to use with names such as `www-data'.

This was originally reported as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497702.

How to repeat:
sample file will be attached. 

Suggested fix:
Please quote the user variable in the SQL or other defensive measure.
[10 Aug 2012 21:14] Nicholas Bamber
Sample session showing how www-data breaks the script.

Attachment: mysql_setpermission.txt (text/plain), 2.50 KiB.

[11 Aug 2012 7:33] Valeriy Kravchuk
Thank you for the bug report. Verified by code review. This is how password is updated:

  my $sth = $dbh->prepare("update user set Password=$pass where User = $user and Host = $host") || die $dbh->errstr;

User name is obviously not quoted here.
[27 Oct 2014 17:28] Paul DuBois
Noted in 5.5.41, 5.6.22, 5.7.6 changelogs.

mysql_setpermission failed to properly quote user names in SQL
statements that it generated.
[3 Dec 2014 15:18] Laurynas Biveinis
$ bzr log -r 4726
revno: 4726
committer: Arun Kuruvila <arun.kuruvila@oracle.com>
branch nick: mysql-5.5
timestamp: Fri 2014-10-17 11:14:26 +0530
  Description: Certain operations using the client tool
  'mysql\_setpermisson' which uses username of the format 
  "xxx-yyy" results in a syntax error.
  Analysis: The user name variable ( $user ) was not quoted
  properly in the 'mysql\_setpermission' script. As a result,
  while granting user privileges for a user with username of
  the format 'xxx-yyy', results in a syntax error.
  Fix: The escape sequence has been applied for the user
  variable in the script file.
  Note: Test case is not added for this fix.
  'mysql\_setpermission' executable resides in different
  directories on pb2 machines and on local boxes. Hence the 
  test case cannot be made generic.