Escape % in db+table names before adding to a format string being passed into db.execute()
Fixes #416
This commit is contained in:
parent
adec837306
commit
3a80b734e6
1 changed files with 7 additions and 3 deletions
|
@ -184,7 +184,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
|
|||
changed = False
|
||||
grant_option = False
|
||||
|
||||
# Handle passwords.
|
||||
# Handle passwords
|
||||
if password is not None:
|
||||
cursor.execute("SELECT password FROM user WHERE user = %s AND host = %s", (user,host))
|
||||
current_pass_hash = cursor.fetchone()
|
||||
|
@ -194,7 +194,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs):
|
|||
cursor.execute("SET PASSWORD FOR %s@%s = PASSWORD(%s)", (user,host,password))
|
||||
changed = True
|
||||
|
||||
# Handle privileges.
|
||||
# Handle privileges
|
||||
if new_priv is not None:
|
||||
curr_priv = privileges_get(cursor, user,host)
|
||||
|
||||
|
@ -297,6 +297,8 @@ def privileges_unpack(priv):
|
|||
return output
|
||||
|
||||
def privileges_revoke(cursor, user,host,db_table,grant_option):
|
||||
# Escape '%' since mysql db.execute() uses a format string
|
||||
db_table = db_table.replace('%', '%%')
|
||||
if grant_option:
|
||||
query = ["REVOKE GRANT OPTION ON %s" % mysql_quote_identifier(db_table, 'table')]
|
||||
query.append("FROM %s@%s")
|
||||
|
@ -308,7 +310,9 @@ def privileges_revoke(cursor, user,host,db_table,grant_option):
|
|||
cursor.execute(query, (user, host))
|
||||
|
||||
def privileges_grant(cursor, user,host,db_table,priv):
|
||||
|
||||
# Escape '%' since mysql db.execute uses a format string and the
|
||||
# specification of db and table often use a % (SQL wildcard)
|
||||
db_table = db_table.replace('%', '%%')
|
||||
priv_string = ",".join(filter(lambda x: x != 'GRANT', priv))
|
||||
query = ["GRANT %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))]
|
||||
query.append("TO %s@%s")
|
||||
|
|
Loading…
Reference in a new issue