Merge pull request #6461 from risaacson/modules_make_run_command_safer

Modules make run command safer

Merge pull request #6461 from risaacson/modules_make_run_command_safer
Modules make run command safer
b4894065 · Richard Isaacson · Michael DeHaan · 4c378189 · b4894065
Commit b4894065 authored Mar 12, 2014 by Richard Isaacson Committed by Michael DeHaan Mar 13, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 16 deletions

library/database/mysql_db
+17 -16

No files found.
--- a/library/database/mysql_db
+++ b/library/database/mysql_db
@@ -101,6 +101,7 @@ EXAMPLES = '''

 import ConfigParser
 import os
+import pipes
 try:
    import MySQLdb
 except ImportError:
@@ -123,36 +124,36 @@ def db_delete(cursor, db):

 def db_dump(module, host, user, password, db_name, target, port, socket=None):
    cmd = module.get_bin_path('mysqldump', True)
-    cmd += " --quick --user=%s --password='%s'" %(user, password)
+    cmd += " --quick --user=%s --password='%s'" % (pipes.quote(user), pipes.quote(password))
    if socket is not None:
-        cmd += " --socket=%s" % socket
+        cmd += " --socket=%s" % pipes.quote(socket)
    else:
-        cmd += " --host=%s --port=%s" % (host, port)
-    cmd += " %s" % db_name
+        cmd += " --host=%s --port=%s" % (pipes.quote(host), pipes.quote(port))
+    cmd += " %s" % pipes.quote(db_name)
    if os.path.splitext(target)[-1] == '.gz':
-        cmd = cmd + ' | gzip > ' + target
+        cmd = cmd + ' | gzip > ' + pipes.quote(target)
    elif os.path.splitext(target)[-1] == '.bz2':
-        cmd = cmd + ' | bzip2 > ' + target
+        cmd = cmd + ' | bzip2 > ' + pipes.quote(target)
    else:
-        cmd += " > %s" % target
-    rc, stdout, stderr = module.run_command(cmd)
+        cmd += " > %s" % pipes.quote(target)
+    rc, stdout, stderr = module.run_command(cmd, use_unsafe_shell=True)
    return rc, stdout, stderr

 def db_import(module, host, user, password, db_name, target, port, socket=None):
    cmd = module.get_bin_path('mysql', True)
-    cmd += " --user=%s --password='%s'" %(user, password)
+    cmd += " --user=%s --password='%s'" % (pipes.quote(user), pipes.quote(password))
    if socket is not None:
-        cmd += " --socket=%s" % socket
+        cmd += " --socket=%s" % pipes.quote(socket)
    else:
-        cmd += " --host=%s --port=%s" % (host, port)
-    cmd += " -D %s" % db_name
+        cmd += " --host=%s --port=%s" % (pipes.quote(host), pipes.quote(port))
+    cmd += " -D %s" % pipes.quote(db_name)
    if os.path.splitext(target)[-1] == '.gz':
-        cmd = 'gunzip < ' + target + ' | ' + cmd
+        cmd = 'gunzip < ' + pipes.quote(target) + ' | ' + cmd
    elif os.path.splitext(target)[-1] == '.bz2':
-        cmd = 'bunzip2 < ' + target + ' | ' + cmd
+        cmd = 'bunzip2 < ' + pipes.quote(target) + ' | ' + cmd
    else:
-        cmd += " < %s" % target
-    rc, stdout, stderr = module.run_command(cmd)
+        cmd += " < %s" % pipes.quote(target)
+    rc, stdout, stderr = module.run_command(cmd, use_unsafe_shell=True)
    return rc, stdout, stderr

 def db_create(cursor, db, encoding, collation):