Bug #44929 #92403 #110570: Fix tty password length handling#664
Open
gitliuhc wants to merge 1 commit into
Open
Bug #44929 #92403 #110570: Fix tty password length handling#664gitliuhc wants to merge 1 commit into
gitliuhc wants to merge 1 commit into
Conversation
|
Hi, thank you for submitting this pull request. In order to consider your code we need you to sign the Oracle Contribution Agreement (OCA). Please review the details and follow the instructions at https://oca.opensource.oracle.com/ |
Author
|
I have an approved Individual OCA. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This patch fixes the interactive TTY password input handling in the
mysqlclient.The previous implementation used a fixed-size buffer for interactive
-ppassword input. As a result, passwords longer than 79 bytes could not be handled correctly. This also affects long token-style credentials used in token-based authentication scenarios.When such long credentials are provided via interactive
-pinput, the input may be truncated or otherwise not processed correctly, which can lead to authentication failure and misleading error messages, for example:ERROR 9125 (HY000): An error occurred while validating the access token. Please acquire a new token and retry.
One possible workaround is to pass the password directly using the --password option. However, this is not ideal from a security perspective because the password may be exposed through shell history or process command-line visibility. In addition, the mysql client explicitly shows the following warning in this case:
mysql: [Warning] Using a password on the command line interface can be insecure.
Therefore, this patch improves the interactive -p input path so that longer passwords and token-style credentials can be handled more safely, without requiring users to pass sensitive credentials directly on the command line.
Related Bugs
Changed File
sql-common/get_password.ccTesting
Tested on:
Test cases:
Both normal password-based authentication and long token-style credential input were tested.
OCA
I have an approved Individual OCA.
Review
I would appreciate your review and consideration of this patch. Please let me know if any changes are needed.