Changes between Initial Version and Version 1 of Ticket #32061
- Timestamp:
- Oct 1, 2020, 10:16:26 AM (4 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #32061 – Description
initial v1 1 ''I reported this issue to the security team on September 9th 2020 but it was deemed that it was better to handle it in public. On September 30th Charlie Denton also reported the issue to the security team hence why I'm finally creating a ticket for this so he also gets credit ''1 ''I reported this issue to the security team on September 9th 2020 but it was deemed that it was better to handle it in public. On September 30th Charlie Denton also reported the issue to the security team hence why I'm finally creating a ticket for this so he also gets credit.'' 2 2 3 A variant of this issue was initially reported 5 years ago (#24999) where the reporter mentioned that usage of the --passwordflag when spawning a mysql shell process would show up in ps with the password in plain text.3 A variant of this issue was initially reported 5 years ago (#24999) where the reporter mentioned that usage of the `--password` flag when spawning a mysql shell process would show up in ps with the password in plain text. 4 4 5 What I'm reporting now is that if the dbshell management crash on backends that pass the `--password` flag in plain text (e.g. MySQL) the 6 `CalledProcessError` exception raised will have the following signature 5 What I'm reporting now is that if the dbshell management crash on backends that pass the `--password` flag in plain text (e.g. MySQL) the `CalledProcessError` exception raised will have the following signature 7 6 8 7 9 8 {{{ 10 CalledProcessError: Command '['my cl', '--user=user', '--password=p4ssword', '--host=host', '--port=3306', 'database']' returned non-zero exit status 1.9 CalledProcessError: Command '['mysql', '--user=user', '--password=p4ssword', '--host=host', '--port=3306', 'database']' returned non-zero exit status 1. 11 10 }}} 12 11