Bug #83420 mysql_config_editor should validate parameters
Submitted: 18 Oct 2016 3:08 Modified: 18 Oct 2016 6:36
Reporter: Tsubasa Tanaka (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.7.15, 8.0.0 OS:CentOS (7.2)
Assigned to: CPU Architecture:Any

[18 Oct 2016 3:08] Tsubasa Tanaka 
Description:
mysql_config_editor doesn't validate parameters except of parameter-name.

So, ~/.mylogin.cnf can have unexpected parameters when I include LF into parameter-value.

How to repeat:
$ mysql_config_editor reset
$ mysql_config_editor set --login-path=mysqld --socket="$(echo '/tmp/mysql.sock' ; echo 'skip-grant-tables')"
$ mysql_config_editor print --all
[mysqld]
socket = /tmp/mysql.sock
skip-grant-tables

skip-grant-tables was injected.

$ bin/mysqld_safe &
$ bin/mysql -uroot -S /tmp/mysql.sock
mysql> SHOW GRANTS;
ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement

Suggested fix:
Sanitize parameters in client/mysql_config_editor.cc:set_command
[18 Oct 2016 6:36] MySQL Verification Team 
Hello Tanaka-San,

Thank you for the report.
Verified as described with 8.0 build.

Thanks,
Umesh