The free forums are no longer in use. It remains available as read-only archive.
12:44 am
Hi,
in XClone 3.1 the mysqldump command line construction is not safe when shell metacharacters are part of the password. For example a password starting with or including ">" will be truncated at that character and the output redirected to a file consisting of the remains of the password. To correct this, cloner.functions.php, line 1971 could be changed to:
exec($_CONFIG[sqldump] . " -h " . $_CONFIG['mysql_host'] . " -u " . $_CONFIG['mysql_user'] . " --password='" . $_CONFIG['mysql_pass'] . "' " . $dbname . " > " . $sqlfile . " $drop --allow-keywords " . $ex_dump);
Note that the password is now included in single quotes, which will defuse the metacharacters *EXCEPT FOR A SINGLE QUOTE*. I don't know what the right PHP function is to sanitise a string that may include a single quote, and render it as "\'" (backslash single-quote). Note that the other fields should be relatively safe from this problem; host names and user names don't normally use characters that are part of the shell metacharacter set (dollar, brackets of various types, less than and greater than symbols, ampersand, bang, pipe, semicolon, asterisk, question mark and single, double and back quotes).
1 Guest(s)