Wrong transfer password across parameters into other scripts (need escaping and quotes)

GoogleCodeExporter commented 9 years ago

Hello!
I found a bug with working with config file of mha.

i have strong password in mysql, that contains such symbols like 
'$','\','%','$' and other. Not just letters and didgits.

For example i write in in mha cnf 
password=%DE&T^GF1

and then i execute 
masterha_check_repl --conf=/etc/mha_manager/app1.cnf

i got messages about programm couldnt connect to mysql.

############################
############################
############################
Wed Nov 14 17:31:17 2012 - [warning] Global configuration file 
/etc/masterha_default.cnf not found. Skipping.
Wed Nov 14 17:31:17 2012 - [info] Reading application default configurations 
from /etc/mha_manager/app1.cnf..
Wed Nov 14 17:31:17 2012 - [info] Reading server configurations from 
/etc/mha_manager/app1.cnf..
Wed Nov 14 17:31:17 2012 - [info] MHA::MasterMonitor version 0.53.
Wed Nov 14 17:31:17 2012 - [info] Dead Servers:
Wed Nov 14 17:31:17 2012 - [info] Alive Servers:
Wed Nov 14 17:31:17 2012 - [info]   172.16.50.11(172.16.50.11:3306)
Wed Nov 14 17:31:17 2012 - [info]   172.16.50.14(172.16.50.14:3306)
Wed Nov 14 17:31:17 2012 - [info] Alive Slaves:
Wed Nov 14 17:31:17 2012 - [info]   172.16.50.11(172.16.50.11:3306)  
Version=5.5.28-MariaDB-log (oldest major version between slaves) log-bin:enabled
Wed Nov 14 17:31:17 2012 - [info]     Replicating from 
172.16.50.14(172.16.50.14:3306)
Wed Nov 14 17:31:17 2012 - [info] Current Alive Master: 
172.16.50.14(172.16.50.14:3306)
Wed Nov 14 17:31:17 2012 - [info] Checking slave configurations..
Wed Nov 14 17:31:17 2012 - [info] Checking replication filtering settings..
Wed Nov 14 17:31:17 2012 - [info]  binlog_do_db= testdb, binlog_ignore_db=
Wed Nov 14 17:31:17 2012 - [info]  Replication filtering check ok.
Wed Nov 14 17:31:17 2012 - [info] Starting SSH connection tests..
Wed Nov 14 17:31:18 2012 - [info] All SSH connection tests passed successfully.
Wed Nov 14 17:31:18 2012 - [info] Checking MHA Node version..
Wed Nov 14 17:31:18 2012 - [info]  Version check ok.
Wed Nov 14 17:31:18 2012 - [info] Checking SSH publickey authentication 
settings on the current master..
Wed Nov 14 17:31:18 2012 - [info] HealthCheck: SSH to 172.16.50.14 is reachable.
Wed Nov 14 17:31:18 2012 - [info] Master MHA Node version is 0.53.
Wed Nov 14 17:31:18 2012 - [info] Checking recovery script configurations on 
the current master..
Wed Nov 14 17:31:18 2012 - [info]   Executing command: save_binary_logs 
--command=test --start_pos=4 --binlog_dir=/home/mysqldata/ 
--output_file=/home/mha_manager_data/app1/save_binary_logs_test 
--manager_version=0.53 --start_file=mysql-bin.000009
Wed Nov 14 17:31:18 2012 - [info]   Connecting to 
root@172.16.50.14(172.16.50.14)..
  Creating /home/mha_manager_data/app1 if not exists..    ok.
  Checking output directory is accessible or not..
   ok.
  Binlog found at /home/mysqldata/, up to mysql-bin.000009
Wed Nov 14 17:31:19 2012 - [info] Master setting check done.
Wed Nov 14 17:31:19 2012 - [info] Checking SSH publickey authentication and 
checking recovery script configurations on all alive slave servers..
Wed Nov 14 17:31:19 2012 - [info]   Connecting to 
root@172.16.50.11(172.16.50.11:22)..
  Checking slave recovery environment settings..
    Opening /home/mysqldata/relay-log.info ... ok.
    Relay log found at /home/mysqldata, up to mysql-relay-bin.000002
    Temporary relay log file is /home/mysqldata/mysql-relay-bin.000002
    Testing mysql connection and privileges..ERROR 1045 (28000): Access denied for user 'root'@'172.16.50.11' (using password: YES)

mysql command failed with rc 1:0!
 at /usr/bin/apply_diff_relay_logs line 351
        main::check() called at /usr/bin/apply_diff_relay_logs line 470
        eval {...} called at /usr/bin/apply_diff_relay_logs line 450
        main::main() called at /usr/bin/apply_diff_relay_logs line 110
Wed Nov 14 17:31:19 2012 - [error][/usr/share/perl5/MHA/MasterMonitor.pm, 
ln194] Slaves settings check failed!
Wed Nov 14 17:31:19 2012 - [error][/usr/share/perl5/MHA/MasterMonitor.pm, 
ln373] Slave configuration failed.
Wed Nov 14 17:31:19 2012 - [error][/usr/share/perl5/MHA/MasterMonitor.pm, 
ln384] Error happend on checking configurations.  at 
/usr/bin/masterha_check_repl line 48
Wed Nov 14 17:31:19 2012 - [error][/usr/share/perl5/MHA/MasterMonitor.pm, 
ln479] Error happened on monitoring servers.
Wed Nov 14 17:31:19 2012 - [info] Got exit code 1 (Not master dead).
############################
############################
############################

well, and there is very interesting moment: in the begin it could connect to 
mysql and it could get values of global variables.
but then it couldnt.

i've never written perl scripts (i use c++ and bash usually) but i tried find 
where is problem;

i found that problem in incorrect passing parameters without escaping.
In MasterMonitor.pm in line 185: when construction $command and concatenate 
--slave_pass it should be escaped and placed in quotes. Because the script 
looks on  '$' symbol like on control character and miss it.

I tried change MasterMonitor.pm in this way:

$command .= " --slave_pass='$s->{password}' ";

But this is not help me.

I tried manually run  apply_diff_relay_logs with parameters and found that 
sybmol '$' in password should be escaped 
for example:
it doesnt work
--slave_pass='%DE&T^GF1' 

and it works
--slave_pass='%DE\&T^GF1' 

and if i remove ''' quotes slashes it doesnt work too
--slave_pass=%DE\&T^GF1 

So, please fix this bug or say how to work with such symbols in password(maybe 
there is correct way to write it in cnf file).

I would have done patch for it if i had known Perl.

Original issue reported on code.google.com by obric...@balakam.com on 14 Nov 2012 at 2:12

GoogleCodeExporter commented 9 years ago

Thanks for the report. This is a bug. Needs proper escaping on SSH.

Original comment by Yoshinor...@gmail.com on 14 Nov 2012 at 5:29

Changed state: Accepted

GoogleCodeExporter commented 9 years ago

Proper escaping/unescaping is needed in the below scenario.

* Passing below characters via ssh command(shell). MySQL user and password may 
be affected.
  '"', '!', '#', '&', ';', '`', '|',    '*',
  '?', '~', '<', '>', '^', '(', ')',    '[',
  ']', '{', '}', '$', ',', ' ', '\x0A', '\xFF', and ' and \

* apply_diff_relay_logs command needs unescaping these characters. slave_user 
and slave_pass may be affected. Also, --user and --password parameters via 
mysql command need to be quoted by ''. Single-quote needs to be escaped.

I'll create a patch and after passing test cases I'll publish to GitHub branch.

Original comment by Yoshinor...@gmail.com on 15 Nov 2012 at 2:44

GoogleCodeExporter commented 9 years ago

Fix is committed on GitHub development tree.

https://github.com/yoshinorim/mha4mysql-node
https://github.com/yoshinorim/mha4mysql-manager

You need to update both MHA Node and Manager packages.

This will be included in upcoming MHA 0.54 as well.

Closing this issue. Please reopen if you still repeat any problems.

Original comment by Yoshinor...@gmail.com on 15 Nov 2012 at 7:56

Changed state: Done

fantasyni / mysql-master-ha

Wrong transfer password across parameters into other scripts (need escaping and quotes) #37