search

fossar / selfoss

multipurpose rss reader, live stream, mashup, aggregation web application
https://selfoss.aditu.de
GNU General Public License v3.0
2.36k stars 343 forks source link

Special chars not useable #1371

Closed dwydler closed 1 year ago

dwydler commented 1 year ago

Hello Jan, i do an update from 2.18 to 2.19 with the zip file. The password for the database user include some special chars (@*()!).

After Update selfoss can not connect the database anymore. Here the content of the logfile.

[2022-10-12 16:19:46] selfoss.ERROR: SQLSTATE[HY000] [1045] Access denied for user 'idkc_db1'@'localhost' (using password: YES) {"exception":"[object] (PDOException(code: 1045): SQLSTATE[HY000] [1045] Access denied for user 'idkc_db1'@'localhost' (using password: YES) at /home/users/idkc/www/production/selfoss/src/helpers/DatabaseConnection.php:39)
[stacktrace]
#0 /home/users/idkc/www/production/selfoss/src/helpers/DatabaseConnection.php(39): PDO->__construct()
#1 [internal function]: helpers\\DatabaseConnection->__construct()
#2 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(95): ReflectionMethod->invokeArgs()
#3 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(69): Dice\\Dice->Dice\\{closure}()
#4 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(182): Dice\\Dice->create()
#5 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(95): Dice\\Dice->Dice\\{closure}()
#6 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(69): Dice\\Dice->Dice\\{closure}()
#7 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(140): Dice\\Dice->create()
#8 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(182): Dice\\Dice->expand()
#9 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(95): Dice\\Dice->Dice\\{closure}()
#10 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(69): Dice\\Dice->Dice\\{closure}()
#11 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(140): Dice\\Dice->create()
#12 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(182): Dice\\Dice->expand()
#13 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(95): Dice\\Dice->Dice\\{closure}()
#14 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(69): Dice\\Dice->Dice\\{closure}()
#15 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(182): Dice\\Dice->create()
#16 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(100): Dice\\Dice->Dice\\{closure}()
#17 /home/users/idkc/www/production/selfoss/vendor/level-2/dice/Dice.php(69): Dice\\Dice->Dice\\{closure}()
#18 /home/users/idkc/www/production/selfoss/index.php(12): Dice\\Dice->create()
#19 [internal function]: {closure}()
#20 /home/users/idkc/www/production/selfoss/vendor/bramus/router/src/Bramus/Router/Router.php(458): call_user_func_array()
#21 /home/users/idkc/www/production/selfoss/vendor/bramus/router/src/Bramus/Router/Router.php(440): Bramus\\Router\\Router->invoke()
#22 /home/users/idkc/www/production/selfoss/vendor/bramus/router/src/Bramus/Router/Router.php(287): Bramus\\Router\\Router->handle()
#23 /home/users/idkc/www/production/selfoss/index.php(170): Bramus\\Router\\Router->run()
#24 {main}
"}

If i remove all special chars from the password, the connection are successfully.

Please double check it. Thanks.

jtojnar commented 1 year ago

Thanks for reporting. I have rewritten the configuration manager from scratch and vastly simplified the DB manager for 2.19 so I am surprised I did not notice more subtle bugs like this.

But when I tried running the following in MySQL:

CREATE USER 'selfoss_test'@'localhost' IDENTIFIED BY '@*()!';
CREATE DATABASE selfoss_test;
GRANT ALL PRIVILEGES ON selfoss_test.* TO selfoss_test@localhost;

and then adding the following to config.ini:

db_type=mysql
db_host=localhost
db_database=selfoss_test
db_username=selfoss_test
db_password="@*()!"

It worked just fine for me.

  1. I assume you are running with MySQL?
  2. Did you wrap the password in quotes in the config or do you use it as is?
  3. Could you try adding logger_level=DEBUG to your config.ini and then temporarily modify selfoss as follows:
--- a/src/helpers/DatabaseConnection.php
+++ b/src/helpers/DatabaseConnection.php
@@ -35,7 +35,7 @@ class DatabaseConnection {
      **/
     public function __construct(Logger $logger, $dsn, $user = null, $pw = null, array $options = [], $tableNamePrefix = '') {
         $this->logger = $logger;
-        $this->logger->debug('Creating database connection', ['dsn' => $dsn]);
+        $this->logger->debug('Creating database connection', ['dsn' => $dsn, 'user' => $user, 'pw' => $pw]);
         $this->pdo = new PDO($dsn, $user, $pw, $options);
         $this->pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
         $this->tableNamePrefix = $tableNamePrefix;

Something like the following should then be logged, where you can check if the password is parsed correctly:

selfoss.DEBUG: Creating database connection {"dsn":"mysql:host=localhost; dbname=selfoss_test","user":"selfoss_test","pw":"@*()!"}
dwydler commented 1 year ago
  1. Independently of that I use MariaDB as database backend.
  2. I have done some more tests. After that the problem is, that the password not in quotes. I've always skipped this because I don't think it's a character that belongs to the password. So i added quots like in your example. Now passwords with chars like !()*@ works.

Maybe you can add a note to make it clear for all other users. Because in previous versions it was not necessary.

jtojnar commented 1 year ago

Weirdly, for me, (, ( or ! fail with an error like:

syntax error, unexpected '!' in /home/jtojnar/Projects/selfoss/src/../config.ini on line 36

so I had to add quotes for a DB connection to be even attempted.

But just db_password=@* works just fine, even without quotes.

I am also using MariaDB but if it works with quotes for you, that probably is not the issue.

Maybe PHP version difference? I am running 8.1.11.

I would be interested to see if the debug log does show your password correctly when you apply the patch above.

dwydler commented 1 year ago

But just db_password=@* works just fine, even without quotes.

I tested it detailed. You are right. This chars works without quote the password.

Weirdly, for me, (, ( or ! fail with an error like:

Here the same. I see the same error message like you.

So it is wanted that the password has to be quoted in the configuration file?

jtojnar commented 1 year ago

We are just using parse_ini_file function but it looks like it does all sort of weird transformations, even with INI_SCANNER_RAW (that I forgot to add when I ported configuration away from F3. I guess we will need to switch to a custom parser like F3 had.

jtojnar commented 1 year ago

I have added a warning about this in the news (for people reading them on GItHub).

And pushed a commit that will allow unquoted special characters again. But for 2.19, quoting will be required.

dwydler commented 1 year ago

Thank you.