ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Escape % in db+table names before adding to a format string being passed into db.execute()

Browse source 
Fixes #416
This commit is contained in:
Toshio Kuratomi 2014-12-01 10:38:47 -08:00 committed by Matt Clay
parent fe787f1bc9
commit ddc81c7b93
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
lib/ansible/modules/database/mysql/mysql_user.py
View file

@ -184,7 +184,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
changed = False changed = False
grant_option = False grant_option = False
# Handle passwords. # Handle passwords
if password is not None: if password is not None:
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host)) cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
current_pass_hash = cursor.fetchone() current_pass_hash = cursor.fetchone()
@ -194,7 +194,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user,host,password)) cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user,host,password))
changed = True changed = True
# Handle privileges. # Handle privileges
if new_priv is not None: if new_priv is not None:
curr_priv = privileges_get(cursor, user,host) curr_priv = privileges_get(cursor, user,host)
@ -297,6 +297,8 @@ def privileges_unpack(priv):
return output return output
def privileges_revoke(cursor, user,host,db_table,grant_option): def privileges_revoke(cursor, user,host,db_table,grant_option):
# Escape '%' since mysql db.execute() uses a format string
db_table = db_table.replace('%', '%%')
if grant_option: if grant_option:
query = ["REVOKE GRANT OPTION ON %s" % mysql_quote_identifier(db_table, 'table')] query = ["REVOKE GRANT OPTION ON %s" % mysql_quote_identifier(db_table, 'table')]
query.append("FROM %s@%s") query.append("FROM %s@%s")
@ -308,7 +310,9 @@ def privileges_revoke(cursor, user,host,db_table,grant_option):
cursor.execute(query, (user, host)) cursor.execute(query, (user, host))
def privileges_grant(cursor, user,host,db_table,priv): def privileges_grant(cursor, user,host,db_table,priv):
# Escape '%' since mysql db.execute uses a format string and the
# specification of db and table often use a % (SQL wildcard)
db_table = db_table.replace('%', '%%')
priv_string = ",".join(filter(lambda x: x != 'GRANT', priv)) priv_string = ",".join(filter(lambda x: x != 'GRANT', priv))
query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
query.append("TO %s@%s") query.append("TO %s@%s")