Bug #66696 password validation plugin does not warn on invalid dictionary file
Submitted: 4 Sep 2012 20:38 Modified: 23 Jan 2013 14:08
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.6.6 OS:Any
Assigned to: CPU Architecture:Any

[4 Sep 2012 20:38] Todd Farmer
The documentation states the following requirements for the password validation dictionary file:

* all lower-case
* one word per line
* no larger than 1MB

Starting the server and specifying a file which violates these constraints produces no error message, but also seems to have undefined impact on plugin behavior.  As best I can tell, words using upper-case letters in the file are simply ignored.  I can't tell exactly what happens when files greater than 1MB are specified, but it seems that the file is never referenced during validation (words at top and bottom are equally accepted).

How to repeat:
Start MySQL 5.6.6+ with a password validation dictionary file that violates the constraints described, observe no error message.

Suggested fix:
Log error at least when constraints are violated.
[23 Jan 2013 14:08] Paul Dubois
Noted in 5.6.10, 5.7.1 changelogs.

The server now logs warnings at startup if the file specified for the
validate_password_dictionary_file system variable violates
constraints on valid password file contents.