installation: fix database password escaping #2846
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updated database.py to wrap password for init script in quotes
eamonnmag
changed the title
|
@eamonnmag could you please amend the commit message according to Invenio standards. Example: |
jirikuncar
changed the title
| @@ -85,7 +85,7 @@ def init(user='root', password='', yes_i_know=False): | |||
| # Create user and grant access to database. | |||
| (cmd_prefix + '-e "GRANT ALL PRIVILEGES ON ' | |||
| '{CFG_DATABASE_NAME}.* TO {CFG_DATABASE_USER}@localhost ' | |||
| 'IDENTIFIED BY {CFG_DATABASE_PASS}"'), | |||
| 'IDENTIFIED BY \'{CFG_DATABASE_PASS}\'"'), | |||
There was a problem hiding this comment.
@eamonnmag actually this highlights the issue of proper escaping of the password. What if the password has a quotation sign? You should probably protect the CFG_DATABASE_PASS variable within args, so that any single quote is properly escaped.
Yep. For reference these are detailed in https://github.com/inveniosoftware/invenio/blob/pu/CONTRIBUTING.rst (point 6) |
|
@kaplun can you test the PR? It looks useful for 2.0.0. |
I checked how say the password 'pass\'\'word' was rendering and if it could be escaped. Python is automatically escaping this and actually creating this, pass'"'"''"'"'word. Given that developers will see that this password is clearly not what they intended from the log message, this is probably ok, they can just change it. Passwords such as 'pass''word' are rendered as 'password' due to python and it's concatenation. So, for me, I think this function does what it is supposed to do. The small fix at least removes any ambiguity for developers.
|
Hi @eamonnmag, in Invenio we try to keep history as clean as possible (since it is then used to compile the change logs). Could you squash this commits into one clean commit (since it's implementing one functionality and it has not yet been merged)? Additionally you can happily just keep this PR. No need to close it or re-open it. Just push-force an updated branch. As soon as your branch will be integrated it will be automatically closed. |
|
Yeah, I sort of messed it up. Was the first time I tried it across forks :) I will look at the behaviour of the quotes function above my edits and modify it as discussed today. |
|
@eamonnmag please remove all extra newlines you have added outside |
|
Squash and rebase your branch: |
| @@ -77,17 +77,25 @@ def init(user='root', password='', yes_i_know=False): | |||
| cmd_admin_prefix = prefix.format(cmd='mysqladmin', user=user, | |||
| password=password, | |||
| **args) | |||
|
|
|||
| # we can't wrap all keys in quotes since the table name for instance is not quotable' | |||
| keys_to_wrap =['CFG_DATABASE_PASS', 'CFG_DATABASE_USER'] | |||
There was a problem hiding this comment.
Perhaps should it be in config @jirikuncar ?
There was a problem hiding this comment.
It's fine as it is, however @hachreak is working on some improvements https://github.com/hachreak/invenio/commits/refactor_database_init.
|
the PR #2897 for my branch. |
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Mar 20, 2015
* BETTER Uses SQLAlchemy to init the database instead of execute mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Mar 20, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of execute mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Mar 20, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of execute mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Mar 27, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of execute mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Mar 30, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of execute mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Mar 31, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of execute mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Apr 2, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of executing mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]> Signed-off-by: Leonardo Rossi <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Apr 2, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of executing mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
hachreak
pushed a commit
to hachreak/invenio
that referenced
this pull request
Apr 2, 2015
* BETTER Uses SQLAlchemy and SQLAlchemy-Utils to init the database instead of executing mysql in a python subshell. (closes inveniosoftware#2846) (closes inveniosoftware#2844) * NEW Adds support for PostgreSQL database initialization. Signed-off-by: Leonardo Rossi <[email protected]> Reviewed-by: Jiri Kuncar <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: @eamonnmag
Reviewed-by: Jiri Kuncar [email protected]