Re: Patch for review: "Handle InnoDB tables in copy-backup.py"
- From: Owen Taylor <otaylor redhat com>
- To: Tobias Mueller <muelli auftrags-killer org>
- Cc: gnome-infrastructure gnome org, Olav Vitters <olav bkor dhs org>
- Subject: Re: Patch for review: "Handle InnoDB tables in copy-backup.py"
- Date: Sun, 09 Aug 2009 22:19:00 -0400
On Sun, 2009-08-09 at 23:50 +0200, Tobias Mueller wrote:
> And in case anybody creates a database name with metacharacters for the
> filesystem (like "." or "/" or ".."), we should normalize and check
> whether we have left the directory just for security reasons. If so,
> bail out. Note, that I don't know if it's even possible to create such a
> database with MySQL. [...]
So, wasted a bunch of time on and this and it turns out that it's
possible to create a MySQL database named absolutely anything, with
the only restriction being that it can't conflict with reserved
names.
Directory metacharacters? Arbitrary unicode? Spaces? Tabs? Quotes?
Random control characters like ^H? Sure, whatever you want.
Now, the fact is we don't hand out database granting permissions to
any accounts but the root account, and we're certainly not going to
create databases named ../../../etc/passwd or whatever. So, it doesn't
really matter. But for completeness, the attached patch seems to be
robust against whatever I throw at it.
I originally got working without using python-MySQL, but if the
hand-escaping for popen() didn't pass muster, I don't think it would
have gotten past review here either :-)
Attached patch is incremental on my last patch.
- Owen
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
