From ddc81c7b9327dcf4c9f0f9dd460c06e244a99441 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Mon, 1 Dec 2014 10:38:47 -0800 Subject: [PATCH] Escape % in db+table names before adding to a format string being passed into db.execute() Fixes #416 --- lib/ansible/modules/database/mysql/mysql_user.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/ansible/modules/database/mysql/mysql_user.py b/lib/ansible/modules/database/mysql/mysql_user.py index e8461a0585..1fc57dc953 100644 --- a/lib/ansible/modules/database/mysql/mysql_user.py +++ b/lib/ansible/modules/database/mysql/mysql_user.py @@ -184,7 +184,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): changed = False grant_option = False - # Handle passwords. + # Handle passwords if password is not None: cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host)) current_pass_hash = cursor.fetchone() @@ -194,7 +194,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user,host,password)) changed = True - # Handle privileges. + # Handle privileges if new_priv is not None: curr_priv = privileges_get(cursor, user,host) @@ -297,6 +297,8 @@ def privileges_unpack(priv): return output def privileges_revoke(cursor, user,host,db_table,grant_option): + # Escape '%' since mysql db.execute() uses a format string + db_table = db_table.replace('%', '%%') if grant_option: query = ["REVOKE GRANT OPTION ON %s" % mysql_quote_identifier(db_table, 'table')] query.append("FROM %s@%s") @@ -308,7 +310,9 @@ def privileges_revoke(cursor, user,host,db_table,grant_option): cursor.execute(query, (user, host)) def privileges_grant(cursor, user,host,db_table,priv): - + # Escape '%' since mysql db.execute uses a format string and the + # specification of db and table often use a % (SQL wildcard) + db_table = db_table.replace('%', '%%') priv_string = ",".join(filter(lambda x: x != 'GRANT', priv)) query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query.append("TO %s@%s")