MySQL Server installation fails if root password contains special characters such as apostrophe
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-5.7 (Ubuntu) |
Fix Released
|
High
|
Lars Tangvald | ||
Xenial |
Fix Released
|
High
|
Lars Tangvald |
Bug Description
The postinst script for mysql-server-5.7 can take a root password for the server as input. It does not properly escape this password before passing it to the server in an SQL script.
[Impact]
If a user enters a root password containing such a password, MySQL will throw a syntax error when d/postinst tries to set it, causing postinst failure.
One would expect the password to support special characters, and e.g. pwgen -y will generate password containing such.
We fix this by passing the password through coreutil's printf %q, which escapes all special characters.
[Test case]
Install the mysql-server-5.7 package, and enter "pass'word" when prompted for the root password. This should work
[Regression Potential]
This change has been in Yakkety for some time (5.7.15-0ubuntu2).
== printf %q changes behavior ==
Unlikely, since it's part of coreutils, but it might cause similar syntax errors as what is seen now, or result in a root password that is different from what the user expect (fixable for an admin, but would be confusing)
== printf %q escapes characters that should not be escaped ==
Some characters, such as $, do not need to be escaped for MySQL, but are escaped by printf %q. For those tested, MySQL supports both (passing \$ is equivalent to passing $), but if this support is incomplete it could result in syntax error and postinst failure.
[Original description]
Running linuxmint 18, had trouble installating mysql-server. After a fair amount of frustration, I dug around, found a temp file that had a command in it to change my root password, my password was there (in plain text), and had a clear problem with the apostrophe in the password. It looked something like this:
SET PASSWORD FOR 'root'@'localhost' = PASSWORD(
I didn't save the file, did successfully install MySQL with a password without the single quote, and I'm not going to undo that all just to give a better bug report. I'm sure your programmers won't have any trouble tracking this down.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mysql-server-5.7 5.7.12-0ubuntu1.1
ProcVersionSign
Uname: Linux 4.4.0-28-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Mon Jul 4 22:36:34 2016
InstallationDate: Installed on 2016-07-02 (2 days ago)
InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
Logs.var.
MySQLConf.
MySQLConf.
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
MySQLConf.
[mysqld_safe]
syslog
MySQLVarLibDirL
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: mysql-5.7
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in mysql-5.7 (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → Lars Tangvald (lars-tangvald) |
Changed in mysql-5.7 (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in mysql-5.7 (Ubuntu): | |
status: | New → In Progress |
Changed in mysql-5.7 (Ubuntu): | |
status: | In Progress → Fix Committed |
tags: | added: xenial-candidate |
summary: |
- MySQL Server installation freezes if root password contains a single - quote (apostrophe) + MySQL Server installation freezes if root password contains special + characters such as apostrophe |
summary: |
- MySQL Server installation freezes if root password contains special + MySQL Server installation fails if root password contains special characters such as apostrophe |
description: | updated |
Changed in mysql-5.7 (Ubuntu Xenial): | |
assignee: | nobody → Lars Tangvald (lars-tangvald) |
status: | New → Fix Committed |
Changed in mysql-5.7 (Ubuntu Xenial): | |
status: | Fix Committed → In Progress |
Changed in mysql-5.7 (Ubuntu Xenial): | |
milestone: | none → xenial-updates |
We have pretty much the same issue with the upstream packages. Filtering the password with printf %q in postinst seems to escape the characters correctly so the password can be passed to the server.
Upstream report: http:// bugs.mysql. com/bug. php?id= 81958