| Bug #66317 | mysql_setpermission does not quote user names | ||
|---|---|---|---|
| Submitted: | 10 Aug 2012 21:13 | Modified: | 27 Oct 2014 17:28 |
| Reporter: | Nicholas Bamber (OCA) | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Command-line Clients | Severity: | S3 (Non-critical) |
| Version: | 5.0.51a-12 and onwards | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[10 Aug 2012 21:13]
Nicholas Bamber
[10 Aug 2012 21:14]
Nicholas Bamber
Sample session showing how www-data breaks the script.
Attachment: mysql_setpermission.txt (text/plain), 2.50 KiB.
[11 Aug 2012 7:33]
Valeriy Kravchuk
Thank you for the bug report. Verified by code review. This is how password is updated:
...
my $sth = $dbh->prepare("update user set Password=$pass where User = $user and Host = $host") || die $dbh->errstr;
User name is obviously not quoted here.
[27 Oct 2014 17:28]
Paul DuBois
Noted in 5.5.41, 5.6.22, 5.7.6 changelogs. mysql_setpermission failed to properly quote user names in SQL statements that it generated.
[3 Dec 2014 15:18]
Laurynas Biveinis
$ bzr log -r 4726 ------------------------------------------------------------ revno: 4726 committer: Arun Kuruvila <arun.kuruvila@oracle.com> branch nick: mysql-5.5 timestamp: Fri 2014-10-17 11:14:26 +0530 message: Bug #14486004 MYSQL_SETPERMISSION DOES NOT QUOTE USER NAMES Description: Certain operations using the client tool 'mysql\_setpermisson' which uses username of the format "xxx-yyy" results in a syntax error. Analysis: The user name variable ( $user ) was not quoted properly in the 'mysql\_setpermission' script. As a result, while granting user privileges for a user with username of the format 'xxx-yyy', results in a syntax error. Fix: The escape sequence has been applied for the user variable in the script file. Note: Test case is not added for this fix. 'mysql\_setpermission' executable resides in different directories on pb2 machines and on local boxes. Hence the test case cannot be made generic.
