Opened 11 years ago
Closed 10 years ago
#22234 closed Bug (fixed)
Special characters in database password are not escaped correctly on Windows platforms
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Core (Management commands) | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | anubhav9042@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
https://github.com/django/django/blob/master/django/db/backends/mysql/client.py#L38
On Windows platforms, the database client command line is composed as a string, but no escaping whatsoever is performed on the parameters. Database configuration can contain special characters (especially the password), which would require escaping.
Real-life case: http://stackoverflow.com/questions/22280126/sign-in-database-password-in-django
Change History (6)
comment:1 by , 11 years ago
Has patch: | set |
---|---|
Version: | 1.6 → master |
comment:2 by , 11 years ago
Component: | Database layer (models, ORM) → Core (Management commands) |
---|---|
Triage Stage: | Unreviewed → Accepted |
Hi,
It seems that the different codepath on windows was added as a result of #10357.
Looking at the discussion (especially comment number 3 [1]), it seems that using subprocess
was considered at the time but it wasn't used because it was incompatible with Python 2.3 which was supported at the time.
The patch looks good and cleans things up nicely but I don't have access to a windows box to make sure it actually works.
I'm also concerned about a potential for subtle differences between os.execp
and subprocess.call
. The documentation of os.execp
[2] is a bit hard to read and as a result, I can't really tell exactly what differences there are between the two.
Still, I'll mark this ticket as accepted
, if only on the basis that using os.system(" ".join(args))
is clearly wrong.
Thanks.
[1] https://code.djangoproject.com/ticket/10357#comment:3
[2] http://docs.python.org/2/library/os.html?highlight=os.execvp#os.execvp
follow-up: 4 comment:3 by , 11 years ago
From the subprocess.call docs:
The full function signature is the same as that of the
Popen
constructor - this functions passes all supplied arguments directly through to that interface.
From the subprocess.Popen docs:
Execute a child program in a new process. On Unix, the class uses
os.execvp()
-like behavior to execute the child program. On Windows, the class uses the WindowsCreateProcess()
function.
Sounds to me subprocess.call
and os.execvp
are explicitly meant to be compatible on Unix, and on Windows os.execvp
isn't an option anyway.
comment:4 by , 11 years ago
Cc: | added |
---|
If only you could add a test to your PR, we can test the new implementation.
comment:5 by , 11 years ago
I would, but I'm not really sure how to approach testing this change. The fact that there are zero existing tests for the DatabaseClient implementations does not help either — it seems historical changes to backends.*.client.DatabaseClient
have never included a testcase.
comment:6 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Proposed fix:
https://github.com/django/django/pull/2412