History | Log In     View a printable version of the current page.  
Issue Details (XML | Word | Printable)

Key: OX-1643
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: andrew.hill
Reporter: Arlen Coupland
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
OpenX Ad Server

Special characters in password can cause Upgrade failure

Created: 13/Mar/08 11:23 AM   Updated: 29/Jan/09 07:47 AM
Component/s: OXP: Installation & Upgrade System
Affects Version/s: OpenX 2.6.0
Fix Version/s: Milestone 23, OpenX 2.7.19-dev, OpenX 2.6.3, OpenX 2.4.11
Security Level: Public (All users can see these issues)

Time Tracking:
Original Estimate: Not Specified
Remaining Estimate: 0h
Time Spent - 1.42h
Time Spent: 1.42h
Time Spent - 1.42h

Issue Links:
Reference
 

Passed QA Version/s: OpenX 2.6.3
QA Notes:
N/A for 2.7-beta hosted release - upgrade
passed retest in 2.6.3-rc1


 Description  « Hide
User johnange has reported that while upgrading, the following error was seen in the log after a failed upgrade:

{ #! script returned false OA_UpgradePostscript_8781812a20e052460f17402b567a722e #! Failure in upgrade postscript postscript_openads_upgrade_2.0.11_to_2.3.32_beta.php }

After continous attempts at upgrading, the user realized having a '$' character at the end of their chosen password was causing a problem.

{ I have solved my problem. In my case, the password I was using ended with a '$' character. Evidently, at some point the password field was used without being sanitized. As a result, the password in the config file was incorrect and the subsequent db config variables were omitted, eg: name= persistent= mysql4_compatibility= Correcting these values in the config file didn't help matters any because they just got destroyed again when trying to proceed with the installation. The only thing I could do was change the password and start over. }

Further details:
http://forum.openx.org/index.php?showtopic=503417741

Also has been reported when using a special character at beginning of DB password:
http://forum.openx.org/index.php?showtopic=503417820
However, using in the middle of password didn't cause a problem



 All   Comments   Work Log   Change History   FishEye   Crucible   Builds      Sort Order: Ascending order - Click to sort in descending order

Arlen Coupland - 04/Jun/08 03:45 PM - edited
Also on:
http://forum.openx.org/index.php?showtopic=503419284

and:
http://forum.openx.org/index.php?showtopic=503419163
"openx 2.4.5 on apache 2.2.3, mysql-5.0.22, php 5.1.6 running on Centos 5.0:"

and:
http://forum.openx.org/index.php?showtopic=503418575
PHP version = 5.2.0
Webserver = Apache/1.3.34
Database = mysql 5.0.32

also seen elsewhere was a user with the issue with PHP 5.2.5 and MySQL 5.0.45


Arlen Coupland - 05/Jun/08 09:39 AM
Another report with:
php 5.2.4
mysql 5.0.41
dbpassword having the problem: {=B:PQEkx8

Environment I have not been able to recreate it on personally (besides QA):
mysql 5.0.41, php 5.2.5
mysql 5.0.24, php 4.4.4

Seems like there might be another cause than MySQL version



Monique Szpak - 11/Sep/08 04:14 PM
I have made a change to the ini file writer to ensure that all non-printing characters are quoted.

However, parse_ini_file() has problems returning values containing single-quotes, backslashes and expecially double-quotes (these will actually corrupt the array).

This issue affects all values stored in the conf file, not just the database password.

However, it should fix problems with alll non-printing characters except the three mentioned above.


Monique Szpak - 11/Sep/08 04:36 PM
Further testing seems to suggest that not quoting single quotes or backslashes allows those two chars to read and write ok.

The only char we might need to validate against is the double quote.

Require smoke-testing to verify all of this.


Monique Szpak - 11/Sep/08 04:44 PM
All non-printing characters except double quotes should work in database password now.

All non-printing characters except double quotes should be wrapped in double quotes when written to the conf file.


Monique Szpak - 15/Sep/08 08:29 AM
Removed the unquoting of backslashes and single-quotes as it will cause issues when those chars are mixed with chars that require quotes.

Therefore, we need to use special validation or handling for any values that will be written to the conf file and contain a double quote, single quote or a backslash


Sue Houghton - 06/Oct/08 09:14 AM
Fix version changed to 2.6.3 following 2.6.2 security fix release

Sue Houghton - 06/Oct/08 09:23 AM
Fix version updated to 2.4.10 following 2.4.9 release for security fix

Nataliya Drabyk - 14/Oct/08 02:33 PM
Passed retest with non-printing symbols unless double quotes.
New issue OX-4265 is raised for particular case with " symbol.
Closed