MDEV-221 - Properly escape command line when starting mysql_install_db

since password characters can contain quotes or spaces.

The proper quoting method for command line arguments used here was  extracted from
http://blogs.msdn.com/b/twistylittlepassagesallalike/archive/2011/04/23/everyone-quotes-arguments-the-wrong-way.aspx

Additionally, mysql_install_db.exe now passes root password to "mysqld.exe --bootstrap"
 in hexadecimal form, to handle potential special chars inside password string literal.

1 files changed, 13 insertions, 5 deletions

diff --git a/sql/mysql_install_db.cc b/sql/mysql_install_db.cc
index 086dc292dec..364dca9120a 100644
--- a/sql/mysql_install_db.cc
+++ b/sql/mysql_install_db.cc
@@ -316,9 +316,9 @@ static int create_myini()
 
 
 static const char update_root_passwd_part1[]=
-  "UPDATE mysql.user SET Password = PASSWORD('";
+  "UPDATE mysql.user SET Password = PASSWORD(";
 static const char update_root_passwd_part2[]=
-  "') where User='root';\n";
+  ") where User='root';\n";
 static const char remove_default_user_cmd[]= 
   "DELETE FROM mysql.user where User='';\n";
 static const char allow_remote_root_access_cmd[]=
@@ -589,11 +589,19 @@ static int create_db_instance()
   }
 
   /* Change root password if requested. */
-  if (opt_password)
+  if (opt_password && opt_password[0])
   {
-    verbose("Changing root password",remove_default_user_cmd);
+    verbose("Setting root password",remove_default_user_cmd);
     fputs(update_root_passwd_part1, in);
-    fputs(opt_password, in);
+
+    /* Use hex encoding for password, to avoid escaping problems.*/
+    fputc('0', in);
+    fputc('x', in);
+    for(int i= 0; opt_password[i]; i++)
+    {
+      fprintf(in,"%02x",opt_password[i]);
+    }
+
     fputs(update_root_passwd_part2, in);
     fflush(in);
   }