[Dbconfig-common-changes] [dbconfig-common] r363 - in trunk: .
debian dpkg internal
Sean Finney
seanius at alioth.debian.org
Sun Jan 21 14:15:04 CET 2007
tags 405598 pending
thanks
Author: seanius
Date: 2007-01-21 14:15:03 +0100 (Sun, 21 Jan 2007)
New Revision: 363
Modified:
trunk/dbconfig-generate-include
trunk/debian/changelog
trunk/dpkg/common
trunk/dpkg/config
trunk/internal/mysql
trunk/internal/pgsql
Log:
string escaping, mostly
Modified: trunk/dbconfig-generate-include
===================================================================
--- trunk/dbconfig-generate-include 2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/dbconfig-generate-include 2007-01-21 13:15:03 UTC (rev 363)
@@ -67,6 +67,20 @@
fi
}
+sed_rhs_escape(){
+ local str rhsfile
+ str=$@
+ rhsfile=`mktemp -t dbconfig-generate-include.sedrhs.XXXXXX`
+ if [ ! -f "$rhsfile" ]; then
+ echo "unable to create temporary file $rhsfile" >&2
+ exit 1
+ fi
+
+ sed -e 's/\\/\\&/g' -e 's/&/\\&/g' -e 's,/,\\&,g' < $rhsfile
+ rm -f $rhsfile
+}
+
+
TEMP=`getopt -o af:hb::d::m:o:p::u::s::t::C::O:P::Uv --long help,dbuser::,dbname::,dbpass::,dbport::,dbserver::,dbtype::,basepath::,output:,format:,options:,comment::,owner:,mode:,ucf,version -n $0 -- "$@"`
if [ $? != 0 ] ; then usage >&2 ; exit 1 ; fi
@@ -360,13 +374,13 @@
exit 1
fi
cat << EOF > "$sedtmp"
-s/^\(.*\)_DBC_DBUSER_/${comment_dbuser}\1$dbc_dbuser/g
-s/^\(.*\)_DBC_DBPASS_/${comment_dbpass}\1$dbc_dbpass/g
-s/^\(.*\)_DBC_BASEPATH_/${comment_basepath}\1$dbc_basepath/g
-s/^\(.*\)_DBC_DBNAME_/${comment_dbname}\1$dbc_dbname/g
-s/^\(.*\)_DBC_DBSERVER_/${comment_dbserver}\1$dbc_dbserver/g
-s/^\(.*\)_DBC_DBPORT_/${comment_dbport}\1$dbc_dbport/g
-s/^\(.*\)_DBC_DBTYPE_/${comment_dbtype}\1$dbc_dbtype/g
+s/^\(.*\)_DBC_DBUSER_/${comment_dbuser}\1`sed_rhs_escape $dbc_dbuser`/g
+s/^\(.*\)_DBC_DBPASS_/${comment_dbpass}\1`sed_rhs_escape $dbc_dbpass`/g
+s/^\(.*\)_DBC_BASEPATH_/${comment_basepath}\1`sed_rhs_escape $dbc_basepath`/g
+s/^\(.*\)_DBC_DBNAME_/${comment_dbname}\1`sed_rhs_escape $dbc_dbname`/g
+s/^\(.*\)_DBC_DBSERVER_/${comment_dbserver}\1`sed_rhs_escape $dbc_dbserver`/g
+s/^\(.*\)_DBC_DBPORT_/${comment_dbport}\1`sed_rhs_escape $dbc_dbport`/g
+s/^\(.*\)_DBC_DBTYPE_/${comment_dbtype}\1`sed_rhs_escape $dbc_dbtype`/g
EOF
sed -f "$sedtmp" < "$template_infile"
;;
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/debian/changelog 2007-01-21 13:15:03 UTC (rev 363)
@@ -5,8 +5,17 @@
* dbconfig-load-include now returns the exit status of the "exec"
format (where the output is based on running a script), if appropriate.
thanks to Matt Brown for the patch (closes: #397089).
+ * escape SQL-sensitive characters (' and \) in passwords for user creation
+ SQL snippits.
+ * escape shell/sed sensitive character sequences (', /, \) that are
+ used in dbconfig-generate-include (closes: #405598).
+ * another dpkg order-of-operations corner case: if unpacked but not
+ (pre-)configured, our debconf templates aren't registered yet, so
+ if some dependant package tries to use us in such a state (i.e. its
+ config is run before ours), fail gracefully and let its postinst
+ script pick up the work with a second config run.
- -- sean finney <seanius at debian.org> Sat, 09 Dec 2006 10:55:53 +0100
+ -- sean finney <seanius at debian.org> Sun, 21 Jan 2007 13:38:31 +0100
dbconfig-common (1.8.29) unstable; urgency=medium
Modified: trunk/dpkg/common
===================================================================
--- trunk/dpkg/common 2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/dpkg/common 2007-01-21 13:15:03 UTC (rev 363)
@@ -844,8 +844,12 @@
dbc_debug "dbc_register_debconf() $@"
for f in $dbc_register_templates; do
+ # register the question, but bail if it doesn't (yet) exist
+ # failure is gracefully handled elsewhere
+ if ! db_register dbconfig-common/$f $dbc_package/$f >/dev/null 2>&1; then
+ return 1
+ fi
# perform some basic customizing substitutions
- db_register dbconfig-common/$f $dbc_package/$f
db_subst $dbc_package/$f pkg $dbc_package
if [ "$dbc_dbvendor" ]; then
db_subst $dbc_package/$f dbvendor $dbc_dbvendor
Modified: trunk/dpkg/config
===================================================================
--- trunk/dpkg/config 2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/dpkg/config 2007-01-21 13:15:03 UTC (rev 363)
@@ -20,7 +20,19 @@
##
## register all the dbconfig-common questions
##
- dbc_register_debconf
+ ## note that this can fail in the case that dbconfig-common is being
+ ## installed at the same time as the dependant package and the latter
+ ## is preconfigured before we are (no way to avoid this without being
+ ## in base). in this case we gracefully exit and defer to the second
+ ## time the config script is run by dpkg in the postinst. note if that
+ ## "hack" in dpkg ever goes away we can still work around the issue so
+ ## i think it's fair to avoid over-complicating things in the dependency
+ ## chain.
+ ##
+ if ! dbc_register_debconf; then
+ dbc_debug "dbconfig-common not yet setup, deferring configuration."
+ return 0
+ fi
# make sure debconf is up to date with on-disk configuration
dbc_read_package_config
Modified: trunk/internal/mysql
===================================================================
--- trunk/internal/mysql 2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/internal/mysql 2007-01-21 13:15:03 UTC (rev 363)
@@ -260,7 +260,7 @@
[ -f "$l_sqlfile" ] || return 1
cat << EOF > $l_sqlfile
-GRANT ALL PRIVILEGES ON \`$dbc_dbname\`.* TO \`$dbc_dbuser\`@'$l_dballow' IDENTIFIED BY '$dbc_dbpass';
+GRANT ALL PRIVILEGES ON \`$dbc_dbname\`.* TO \`$dbc_dbuser\`@'$l_dballow' IDENTIFIED BY '`dbc_mysql_escape_str $dbc_dbpass`';
FLUSH PRIVILEGES;
EOF
if dbc_mysql_check_user; then
@@ -355,3 +355,15 @@
rm -f $mycnf
return $dumperr
}
+
+##
+## dbc_mysql_escape_str: properly escape strings passed to mysql queries
+##
+dbc_mysql_escape_str(){
+ local str
+ str=$1
+ cat << EOF | sed -e 's,\\,\\&,g' -e "s,',\\\\&,g"
+$str
+EOF
+}
+
Modified: trunk/internal/pgsql
===================================================================
--- trunk/internal/pgsql 2006-12-09 09:56:07 UTC (rev 362)
+++ trunk/internal/pgsql 2007-01-21 13:15:03 UTC (rev 363)
@@ -148,7 +148,7 @@
if [ "$dbc_ssl" ]; then PGSSLMODE="require"; fi
extra=`_dbc_psql_cmd_args`
dbc_dbname="template1"
- _dbc_pgsql_exec_command "CREATE USER \"$dbc_dbuser\" WITH PASSWORD '$dbc_dbpass'" || retval=$?
+ _dbc_pgsql_exec_command "CREATE USER \"$dbc_dbuser\" WITH PASSWORD '`dbc_pgsql_escape_str $dbc_dbpass`'" || retval=$?
_dbc_psql_cmd_cleanup
return $retval
}
@@ -455,3 +455,14 @@
_dbc_pgsql_check_connect || return 1
_dbc_pg_dump $dumpfile
}
+
+##
+## dbc_pgsql_escape_str: properly escape strings passed to pgsql queries
+##
+dbc_pgsql_escape_str(){
+ local str
+ str=$1
+ cat << EOF | sed -e 's,\\,\\&,g' -e "s,',\\\\&,g"
+$str
+EOF
+}
More information about the Dbconfig-common-changes
mailing list