From ed62a2f87312ced2bc555cad2d756a2228f1987d Mon Sep 17 00:00:00 2001 From: Anton Zhabolenko Date: Fri, 1 Feb 2019 13:07:25 +0300 Subject: [PATCH 1/2] Fix insecure SQL queries in mysql.user_chpass --- salt/modules/mysql.py | 15 +++++---------- tests/unit/modules/test_mysql.py | 6 +++++- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/salt/modules/mysql.py b/salt/modules/mysql.py index 46eea8e904..6d33b26f94 100644 --- a/salt/modules/mysql.py +++ b/salt/modules/mysql.py @@ -1533,23 +1533,18 @@ def user_chpass(user, password_column = __password_column(**connection_args) cur = dbc.cursor() + args['user'] = user + args['host'] = host if salt.utils.versions.version_cmp(server_version, '8.0.11') >= 0: - qry = ("ALTER USER '" + user + "'@'" + host + "'" - " IDENTIFIED BY '" + password + "';") - args = {} + qry = "ALTER USER %(user)s@%(host)s IDENTIFIED BY %(password)s;" else: - qry = ('UPDATE mysql.user SET ' + password_column + '=' - + password_sql + + qry = ('UPDATE mysql.user SET ' + password_column + '=' + password_sql + ' WHERE User=%(user)s AND Host = %(host)s;') - args['user'] = user - args['host'] = host if salt.utils.data.is_true(allow_passwordless) and \ salt.utils.data.is_true(unix_socket): if host == 'localhost': if salt.utils.versions.version_cmp(server_version, '8.0.11') >= 0: - qry = ("ALTER USER '" + user + "'@'" + host + "'" - " IDENTIFIED BY '" + password + "';") - args = {} + qry = "ALTER USER %(user)s@%(host)s IDENTIFIED BY %(password)s;" else: qry = ('UPDATE mysql.user SET ' + password_column + '=' + password_sql + ', plugin=%(unix_socket)s' + diff --git a/tests/unit/modules/test_mysql.py b/tests/unit/modules/test_mysql.py index cb38a2f426..5fe1b36d93 100644 --- a/tests/unit/modules/test_mysql.py +++ b/tests/unit/modules/test_mysql.py @@ -187,7 +187,11 @@ class MySQLTestCase(TestCase, LoaderModuleMockMixin): mysql.user_chpass('testuser', password='BLUECOW') calls = ( call().cursor().execute( - "ALTER USER 'testuser'@'localhost' IDENTIFIED BY 'BLUECOW';" + "ALTER USER %(user)s@%(host)s IDENTIFIED BY %(password)s;", + {'password': 'BLUECOW', + 'user': 'testuser', + 'host': 'localhost', + } ), call().cursor().execute('FLUSH PRIVILEGES;'), ) From f47dda61e651ea1e38fbc0bf6ab5272380b1491e Mon Sep 17 00:00:00 2001 From: Anton Zhabolenko Date: Fri, 1 Feb 2019 16:52:52 +0300 Subject: [PATCH 2/2] Fix improper use of socket authentication in mysql.user_chpass --- salt/modules/mysql.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/modules/mysql.py b/salt/modules/mysql.py index 6d33b26f94..e58787ee86 100644 --- a/salt/modules/mysql.py +++ b/salt/modules/mysql.py @@ -1543,13 +1543,13 @@ def user_chpass(user, if salt.utils.data.is_true(allow_passwordless) and \ salt.utils.data.is_true(unix_socket): if host == 'localhost': + args['unix_socket'] = 'auth_socket' if salt.utils.versions.version_cmp(server_version, '8.0.11') >= 0: - qry = "ALTER USER %(user)s@%(host)s IDENTIFIED BY %(password)s;" + qry = "ALTER USER %(user)s@%(host)s IDENTIFIED WITH %(unix_socket)s AS %(user)s;" else: qry = ('UPDATE mysql.user SET ' + password_column + '=' + password_sql + ', plugin=%(unix_socket)s' + ' WHERE User=%(user)s AND Host = %(host)s;') - args['unix_socket'] = 'unix_socket' else: log.error('Auth via unix_socket can be set only for host=localhost') try: