Open
Conversation
|
Hi, thank you for submitting this pull request. In order to consider your code we need you to sign the Oracle Contribution Agreement (OCA). Please review the details and follow the instructions at https://oca.opensource.oracle.com/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
MySQL Shell upgrade_checker fails on user privilege check due to improper string literal escaping
Summary: A critical issue in MySQL Shell causes malformed SQL when composing queries that include quoted string literals. The problem surfaces in upgrade_checker during user privilege verification, leading to exceptions in newer versions.
Technical details:
Affected area: upgrade_checker → user privilege check (current_user_exists())
Root cause: The old escaping routine always used backslash-based escaping regardless of the NO_BACKSLASH_ESCAPES sql_mode setting. This produced invalid SQL for GRANTEE values containing quotes.
Old behavior (incorrect but appeared to work):
The Shell generated a query like: SELECT PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE GRANTEE=''admin'@'localhost'' LIMIT 1;
Despite the SQL being syntactically invalid, an error was swallowed at some processing layer.
The query “slipped through” without a surfaced error, so the Shell assumed the user existed and continued.
As a result, current_user_exists() returned a “correct” outcome by accident for this specific query.
New behavior:
The newer version correctly surfaces the SQL error caused by improper escaping, and the Shell throws an exception during the privilege check.
Impact:
upgrade_checker may fail with an exception when checking user privileges, depending on sql_mode and input requiring proper quoting.
Resolution:
Use correct, mode-independent quoting via single-quote escaping provided by QUOTE(), and construct GRANTEE with CONCAT so it works regardless of NO_BACKSLASH_ESCAPES.
This ensures current_user_exists() executes reliably and does not throw.