Bug #75004 validatepassword can't prevent upper case password string which included in file
Submitted: 26 Nov 2014 4:27 Modified: 9 Dec 2014 20:41
Reporter: wang huai Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Pluggable Authentication Severity:S1 (Critical)
Version:5.6.20 OS:Any
Assigned to: CPU Architecture:Any
Tags: MySQL, validatepassword

[26 Nov 2014 4:27] wang huai
when use the validate password plugin, and set the validate_password_dictionary_file=password.dict, 
add password string 'ABCDEFGHIG' to password.dict
and then login in mysql, and set current password to 'ABCDEFGHIG', it can been set ok, not report error.

How to repeat:
1. stop mysqld
2. add parameters as follows:

3. add string 'ABCDEFGHIG' to file password.dict
4. start mysqld

mysql> set password=password('ABCDEFGHIG');
Query OK, 0 rows affected (0.02 sec)

it is ok? no no no, I have add it to password.dict file

Suggested fix:
I have modify it, the details as follows:

in function validate_dictionary_check in file validate_password.cc, 
the function mysql_string_to_lowercase transfer the password to lower case, but in dictionary_stream, the password still upper case, so the lower case can't been find in dictionary_stream.

I have delete the mysql_string_to_lowercase operation and the problem is ok, but I don't know why to transfer.

thank you very much
[9 Dec 2014 20:41] Sveta Smirnova
Thank you for the report.

Technically saying this is not a bug according to http://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html#validate-password-opt...: "Its contents should be lowercase, one word per line." So all uppercase letters are ignored.

But I don't understand why this limitation exists, especially because comparison is expected to be case-insensitive. So I verify it as feature request: "Allow mixed case in dictionary files."