[Dbconfig-common-changes] [dbconfig-common] r363 - in trunk: . debian dpkg internal

Sean Finney seanius at alioth.debian.org
Sun Jan 21 14:15:04 CET 2007 

tags 405598 pending
thanks

Author: seanius
Date: 2007-01-21 14:15:03 +0100 (Sun, 21 Jan 2007)
New Revision: 363

Modified:
   trunk/dbconfig-generate-include
   trunk/debian/changelog
   trunk/dpkg/common
   trunk/dpkg/config
   trunk/internal/mysql
   trunk/internal/pgsql
Log:
string escaping, mostly

Modified: trunk/dbconfig-generate-include
===================================================================
--- trunk/dbconfig-generate-include	2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/dbconfig-generate-include	2007-01-21 13:15:03 UTC (rev 363)
@@ -67,6 +67,20 @@
 	fi
 }
 
+sed_rhs_escape(){
+    local str rhsfile
+    str=$@
+    rhsfile=`mktemp -t dbconfig-generate-include.sedrhs.XXXXXX`
+    if [ ! -f "$rhsfile" ]; then
+        echo "unable to create temporary file $rhsfile" >&2
+        exit 1
+    fi
+
+    sed -e 's/\\/\\&/g' -e 's/&/\\&/g' -e 's,/,\\&,g' < $rhsfile
+    rm -f $rhsfile
+}
+
+
 TEMP=`getopt -o af:hb::d::m:o:p::u::s::t::C::O:P::Uv --long help,dbuser::,dbname::,dbpass::,dbport::,dbserver::,dbtype::,basepath::,output:,format:,options:,comment::,owner:,mode:,ucf,version -n $0 -- "$@"`
 
 if [ $? != 0 ] ; then usage >&2 ; exit 1 ; fi
@@ -360,13 +374,13 @@
 		exit 1
 	fi
 	cat << EOF > "$sedtmp"
-s/^\(.*\)_DBC_DBUSER_/${comment_dbuser}\1$dbc_dbuser/g
-s/^\(.*\)_DBC_DBPASS_/${comment_dbpass}\1$dbc_dbpass/g
-s/^\(.*\)_DBC_BASEPATH_/${comment_basepath}\1$dbc_basepath/g
-s/^\(.*\)_DBC_DBNAME_/${comment_dbname}\1$dbc_dbname/g
-s/^\(.*\)_DBC_DBSERVER_/${comment_dbserver}\1$dbc_dbserver/g
-s/^\(.*\)_DBC_DBPORT_/${comment_dbport}\1$dbc_dbport/g
-s/^\(.*\)_DBC_DBTYPE_/${comment_dbtype}\1$dbc_dbtype/g
+s/^\(.*\)_DBC_DBUSER_/${comment_dbuser}\1`sed_rhs_escape $dbc_dbuser`/g
+s/^\(.*\)_DBC_DBPASS_/${comment_dbpass}\1`sed_rhs_escape $dbc_dbpass`/g
+s/^\(.*\)_DBC_BASEPATH_/${comment_basepath}\1`sed_rhs_escape $dbc_basepath`/g
+s/^\(.*\)_DBC_DBNAME_/${comment_dbname}\1`sed_rhs_escape $dbc_dbname`/g
+s/^\(.*\)_DBC_DBSERVER_/${comment_dbserver}\1`sed_rhs_escape $dbc_dbserver`/g
+s/^\(.*\)_DBC_DBPORT_/${comment_dbport}\1`sed_rhs_escape $dbc_dbport`/g
+s/^\(.*\)_DBC_DBTYPE_/${comment_dbtype}\1`sed_rhs_escape $dbc_dbtype`/g
 EOF
 	sed -f "$sedtmp" < "$template_infile" 
 ;;

Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/debian/changelog	2007-01-21 13:15:03 UTC (rev 363)
@@ -5,8 +5,17 @@
   * dbconfig-load-include now returns the exit status of the "exec"
     format (where the output is based on running a script), if appropriate.
     thanks to Matt Brown for the patch (closes: #397089).
+  * escape SQL-sensitive characters (' and \) in passwords for user creation
+    SQL snippits.
+  * escape shell/sed sensitive character sequences (', /, \) that are
+    used in dbconfig-generate-include (closes: #405598).
+  * another dpkg order-of-operations corner case: if unpacked but not
+    (pre-)configured, our debconf templates aren't registered yet, so
+    if some dependant package tries to use us in such a state (i.e. its
+    config is run before ours), fail gracefully and let its postinst
+    script pick up the work with a second config run.
 
- -- sean finney <seanius at debian.org>  Sat, 09 Dec 2006 10:55:53 +0100
+ -- sean finney <seanius at debian.org>  Sun, 21 Jan 2007 13:38:31 +0100
 
 dbconfig-common (1.8.29) unstable; urgency=medium
 

Modified: trunk/dpkg/common
===================================================================
--- trunk/dpkg/common	2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/dpkg/common	2007-01-21 13:15:03 UTC (rev 363)
@@ -844,8 +844,12 @@
 	dbc_debug "dbc_register_debconf() $@"
 
 	for f in $dbc_register_templates; do
+		# register the question, but bail if it doesn't (yet) exist
+		# failure is gracefully handled elsewhere
+		if ! db_register dbconfig-common/$f $dbc_package/$f >/dev/null 2>&1; then
+			return 1
+		fi
 		# perform some basic customizing substitutions
-		db_register dbconfig-common/$f $dbc_package/$f
 		db_subst $dbc_package/$f pkg $dbc_package
 		if [ "$dbc_dbvendor" ]; then
 			db_subst $dbc_package/$f dbvendor $dbc_dbvendor

Modified: trunk/dpkg/config
===================================================================
--- trunk/dpkg/config	2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/dpkg/config	2007-01-21 13:15:03 UTC (rev 363)
@@ -20,7 +20,19 @@
 	##
 	## register all the dbconfig-common questions
 	##
-	dbc_register_debconf
+	## note that this can fail in the case that dbconfig-common is being
+	## installed at the same time as the dependant package and the latter
+	## is preconfigured before we are (no way to avoid this without being
+	## in base).  in this case we gracefully exit and defer to the second
+	## time the config script is run by dpkg in the postinst.   note if that
+	## "hack" in dpkg ever goes away we can still work around the issue so
+	## i think it's fair to avoid over-complicating things in the dependency
+	## chain.
+	##
+	if ! dbc_register_debconf; then
+		dbc_debug "dbconfig-common not yet setup, deferring configuration."
+		return 0
+	fi
 	
 	# make sure debconf is up to date with on-disk configuration
 	dbc_read_package_config

Modified: trunk/internal/mysql
===================================================================
--- trunk/internal/mysql	2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/internal/mysql	2007-01-21 13:15:03 UTC (rev 363)
@@ -260,7 +260,7 @@
 	[ -f "$l_sqlfile" ] || return 1
 
 	cat << EOF > $l_sqlfile
-GRANT ALL PRIVILEGES ON \`$dbc_dbname\`.* TO \`$dbc_dbuser\`@'$l_dballow' IDENTIFIED BY '$dbc_dbpass';
+GRANT ALL PRIVILEGES ON \`$dbc_dbname\`.* TO \`$dbc_dbuser\`@'$l_dballow' IDENTIFIED BY '`dbc_mysql_escape_str $dbc_dbpass`';
 FLUSH PRIVILEGES;
 EOF
 	if dbc_mysql_check_user; then
@@ -355,3 +355,15 @@
 	rm -f $mycnf
 	return $dumperr
 }
+
+##
+## dbc_mysql_escape_str: properly escape strings passed to mysql queries
+##
+dbc_mysql_escape_str(){
+	local str
+	str=$1
+	cat << EOF | sed -e 's,\\,\\&,g' -e "s,',\\\\&,g"
+$str
+EOF
+}
+

Modified: trunk/internal/pgsql
===================================================================
--- trunk/internal/pgsql	2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/internal/pgsql	2007-01-21 13:15:03 UTC (rev 363)
@@ -148,7 +148,7 @@
 	if [ "$dbc_ssl" ]; then PGSSLMODE="require"; fi
 	extra=`_dbc_psql_cmd_args`
 	dbc_dbname="template1"
-	_dbc_pgsql_exec_command "CREATE USER \"$dbc_dbuser\" WITH PASSWORD '$dbc_dbpass'" || retval=$?
+	_dbc_pgsql_exec_command "CREATE USER \"$dbc_dbuser\" WITH PASSWORD '`dbc_pgsql_escape_str $dbc_dbpass`'" || retval=$?
 	_dbc_psql_cmd_cleanup
 	return $retval
 }
@@ -455,3 +455,14 @@
 	_dbc_pgsql_check_connect || return 1
 	_dbc_pg_dump $dumpfile
 }
+
+##
+## dbc_pgsql_escape_str: properly escape strings passed to pgsql queries
+##
+dbc_pgsql_escape_str(){
+	local str
+	str=$1
+	cat << EOF | sed -e 's,\\,\\&,g' -e "s,',\\\\&,g"
+$str
+EOF
+}

More information about the Dbconfig-common-changes mailing list