Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Module breaks with certain "root_password"s due to not being shell-escaped #187

Open
TwizzyDizzy opened this issue Jul 25, 2023 · 1 comment
Assignees
Labels

Comments

@TwizzyDizzy
Copy link
Contributor

TwizzyDizzy commented Jul 25, 2023

Hi folks,

it seems as though the module breaks, when the password is used with a $root_password that contains shell-relevant characters.

Consider this password: hu7eithei4kaeeke@C;om

exec { 'create .my.cnf for user root':
path => '/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin',
command => "echo \"${my_cnf}\" > ${facts['root_home']}/.my.cnf",
onlyif => [
"mysql --user=root --password=${root_password} -e 'select count(1);'",
"test `cat ${facts['root_home']}/.my.cnf | grep -c \"password='${root_password}'\"` -eq 0",
],
require => Service[$params['mysql_service_name']],
before => $_root_my_cnf_before,
}

Line 555 leads to:

Error: /Stage[main]/Galera/Exec[create .my.cnf for user root]: Could not evaluate: sh: om: command not found

Obviously this cuts off after the ; and tries to execute the rest of the string in the shell context.

It's probably wise to use stdlib shell_escape.

Shall I prepare a merge request for that?

Cheers
Thomas

@TwizzyDizzy TwizzyDizzy changed the title Module breaks Module breaks with certain root_passwords due to not being shell-escaped Jul 25, 2023
@TwizzyDizzy TwizzyDizzy changed the title Module breaks with certain root_passwords due to not being shell-escaped Module breaks with certain "root_password"s due to not being shell-escaped Jul 25, 2023
@fraenki fraenki self-assigned this Apr 22, 2024
@fraenki fraenki added the bug label Apr 22, 2024
@fraenki
Copy link
Member

fraenki commented Apr 22, 2024

It's probably wise to use stdlib shell_escape.

Hm, this may not be possible according to the documentation:

Note:* that the resulting string should be used unquoted and is not intended for use in double quotes nor in single quotes.

Any thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants