Bug #70742 Use hex encoding for show grants for sha256 plugin
Submitted: 27 Oct 2013 19:22 Modified: 18 Nov 2014 10:27
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.6.14 OS:Any
Assigned to: CPU Architecture:Any

[27 Oct 2013 19:22] Daniël van Eeden
Description:
The output of SHOW GRANTS show non-printable characters users using the sha256 authentication plugin.

How to repeat:
mysql> SHOW GRANTS FOR 'sha256user'@'localhost'\G                               *************************** 1. row ***************************
Grants for sha256user@localhost: GRANT USAGE ON *.* TO 'sha256user'@'localhost' IDENTIFIED BY PASSWORD '$5$Kl<X
                               }[.O,/j^fR8"%$/2AN09zB6N/w.X.PCz/bHwUDcWHYCNiPwKKvt49CqR2'
1 row in set (0.00 sec)

Suggested fix:
Encode/Decode the authentication string to/from hex to make sure it contains only printable characters.

mysql> SELECT User,Host,Plugin,CONCAT('UNHEX(\'',HEX(Authentication_string),'\')') hex_auth_string FROM mysql.user WHERE User='sha256user'\G
*************************** 1. row ***************************
           User: sha256user
           Host: localhost
         Plugin: sha256_password
hex_auth_string: UNHEX('2435244B6C3C580B7D5B1E2E4F2C2F6A0F5E6652382225242F32414E30397A42364E2F772E582E50437A2F624877554463574859434E6950774B4B7674343943715232')
1 row in set (0.00 sec)

Optionally: Each authentication plugin is allowed to supply a encode/decode function.