id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32061	Credential leaks on dbshell crash on MySQL and Oracle.	Simon Charette	Mariusz Felisiak	"''I reported this issue to the security team on September 9th 2020 but it was deemed that it was better to handle it in public. On September 30th Charlie Denton also reported the issue to the security team hence why I'm finally creating a ticket for this so he also gets credit.''

A variant of this issue was initially reported 5 years ago (#24999) where the reporter mentioned that usage of the `--password` flag when spawning a mysql shell process would show up in ps with the password in plain text.

What I'm reporting now is that if the dbshell management crash on backends that pass the `--password` flag in plain text (e.g. MySQL) the `CalledProcessError` exception raised will have the following signature


{{{
CalledProcessError: Command '['mysql', '--user=user', '--password=p4ssword', '--host=host', '--port=3306', 'database']' returned non-zero exit status 1.
}}}

That's not a big deal when no form of logging is in place but when it's the case (e.g. Sentry, Elastic, Graylog) it's possible for some systems to fail at obfuscating the `--password=` part due to the complex nature of the string.

In order to prevent that from happening I suggest we override [https://github.com/django/django/blob/9e8edc1e5511f128dec6bcd70a10ebd263b76280/django/db/backends/mysql/client.py#L52 MySQL backend's runshell method] to pass `env={'MYSQL_PWD': PASSWORD}` instead of using the `--password` flag even if [https://dev.mysql.com/doc/refman/8.0/en/environment-variables.html it looks like this is discouraged] (and even meant to be deprecated?) for reasons similar to the ones mentioned in #24999. [https://github.com/django/django/blob/5b884d45ac5b76234eca614d90c83b347294c332/django/db/backends/postgresql/client.py#L35-L37 That's the exact approach currently used by the PostgreSQL backend though].

An alternative could be using the [https://pypi.org/project/pexpect/ pexpect library] to provide the password when prompted for instead but I fear this solution might not be suitable due to the external dependency it would incur. I haven't investigated how complex it would be to implement a cross-platform vendored solution without the use of `pexpect` but I fear dragons may lurk in the details of dealing with that properly."	Bug	assigned	Core (Management commands)	3.1	Normal				Accepted	0	0	0	0	0	0