mysql_db import fails with special characters in password

[paulbadcock]

SUMMARY

mysql_db import fails when using special characters in the password parameter.

ISSUE TYPE

• Bug Report

COMPONENT NAME

mysql_db

ANSIBLE VERSION

ansible 2.8.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /var/lib/awx/venv/ansible-2.8-nonroot/lib/python2.7/site-packages/ansible
  executable location = /var/lib/awx/venv/ansible-2.8-nonroot/bin/ansible
  python version = 2.7.5 (default, Jun 11 2019, 12:19:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

CONFIGURATION

Nothing

OS / ENVIRONMENT

RHEL 7.6

STEPS TO REPRODUCE

You can reproduce the problem by attempting to use a ! in the password field of the login_password

 - mysql_db:
    name: "db"
    state: import
    target: /tmp/sql_dump.sql.bz2
    login_host: "db.tld"
    login_user: "user"
    login_password: "pass!word"

EXPECTED RESULTS

Database to import with no errors

ACTUAL RESULTS

Failure to import with permission denied error

ERROR 1045 (28000): Access denied for user 'user'@'db.tld' (using password: YES)\n"

[ansibot]

Files identified in the description:

• lib/ansible/modules/database/mysql/mysql_db.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibot]

cc @Alexander198961 @Andersson007 @Xyon @bmalynovytch @bmildren @kurtdavis @michaelcoburn @Oneiroi @tolland
click here for bot help

[paulbadcock]

The issue is on line 225 of the module

        cmd.append("--password=%s" % shlex_quote(password))

Removing the shlex_quote from the password and saving the new file to my library folder allows the password to work correctly with no errors from mysql shell command

[winem]

I will also take a look at the code. Removing shlex_quote can already be the fix but this can also be highly dangerous. This depends on the further handling of the password.

[Andersson007]

this unfortunately can't be removed because of security reasons https://docs.python.org/3/library/shlex.html#shlex.quote.
There's a good example why

[Andersson007]

I'll add an option for that

[Andersson007]

ansible-collections/community.general#428
One thing i'm worried about is that i can't reproduce Access denied neither in my local environment nor in ansible CI tests.

[Andersson007]

can be closed via ansible-collections/community.general#428

[Akasurde]

resolved_by_pr #ansible-collections/community.general#428

Marking it as resolved. Thanks @Andersson007

[Andersson007]

@Akasurde thanks for marking and closing!