From b48940650733c5e0f3a7f584f7be0641ddf538ad Mon Sep 17 00:00:00 2001
From: Richard Isaacson <richard.c.isaacson@gmail.com>
Date: Wed, 12 Mar 2014 23:28:06 -0500
Subject: Merge pull request #6461 from
 risaacson/modules_make_run_command_safer

Modules make run command safer
---
 library/database/mysql_db | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/library/database/mysql_db b/library/database/mysql_db
index 622bf59a39..c9fd5b4e08 100644
--- a/library/database/mysql_db
+++ b/library/database/mysql_db
@@ -101,6 +101,7 @@ EXAMPLES = '''
 
 import ConfigParser
 import os
+import pipes
 try:
     import MySQLdb
 except ImportError:
@@ -123,36 +124,36 @@ def db_delete(cursor, db):
 
 def db_dump(module, host, user, password, db_name, target, port, socket=None):
     cmd = module.get_bin_path('mysqldump', True)
-    cmd += " --quick --user=%s --password='%s'" %(user, password)
+    cmd += " --quick --user=%s --password='%s'" % (pipes.quote(user), pipes.quote(password))
     if socket is not None:
-        cmd += " --socket=%s" % socket
+        cmd += " --socket=%s" % pipes.quote(socket)
     else:
-        cmd += " --host=%s --port=%s" % (host, port)
-    cmd += " %s" % db_name
+        cmd += " --host=%s --port=%s" % (pipes.quote(host), pipes.quote(port))
+    cmd += " %s" % pipes.quote(db_name)
     if os.path.splitext(target)[-1] == '.gz':
-        cmd = cmd + ' | gzip > ' + target
+        cmd = cmd + ' | gzip > ' + pipes.quote(target)
     elif os.path.splitext(target)[-1] == '.bz2':
-        cmd = cmd + ' | bzip2 > ' + target
+        cmd = cmd + ' | bzip2 > ' + pipes.quote(target)
     else:
-        cmd += " > %s" % target
-    rc, stdout, stderr = module.run_command(cmd)
+        cmd += " > %s" % pipes.quote(target)
+    rc, stdout, stderr = module.run_command(cmd, use_unsafe_shell=True)
     return rc, stdout, stderr
 
 def db_import(module, host, user, password, db_name, target, port, socket=None):
     cmd = module.get_bin_path('mysql', True)
-    cmd += " --user=%s --password='%s'" %(user, password)
+    cmd += " --user=%s --password='%s'" % (pipes.quote(user), pipes.quote(password))
     if socket is not None:
-        cmd += " --socket=%s" % socket
+        cmd += " --socket=%s" % pipes.quote(socket)
     else:
-        cmd += " --host=%s --port=%s" % (host, port)
-    cmd += " -D %s" % db_name
+        cmd += " --host=%s --port=%s" % (pipes.quote(host), pipes.quote(port))
+    cmd += " -D %s" % pipes.quote(db_name)
     if os.path.splitext(target)[-1] == '.gz':
-        cmd = 'gunzip < ' + target + ' | ' + cmd
+        cmd = 'gunzip < ' + pipes.quote(target) + ' | ' + cmd
     elif os.path.splitext(target)[-1] == '.bz2':
-        cmd = 'bunzip2 < ' + target + ' | ' + cmd
+        cmd = 'bunzip2 < ' + pipes.quote(target) + ' | ' + cmd
     else:
-        cmd += " < %s" % target
-    rc, stdout, stderr = module.run_command(cmd)
+        cmd += " < %s" % pipes.quote(target)
+    rc, stdout, stderr = module.run_command(cmd, use_unsafe_shell=True)
     return rc, stdout, stderr
 
 def db_create(cursor, db, encoding, collation):
-- 
cgit v1.2.1