Commit d667e58b authored by anarcat's avatar anarcat Committed by anarcat
Browse files

#559404 do not display mysql credentials on the commandline

parent 3b803d67
......@@ -2,7 +2,62 @@
function drush_provision_mysql_pre_provision_backup($url = NULL) {
drush_log("Generating mysql dump for $url.", 'backup');
$result = provision_shell_exec("mysqldump -h%s -u%s -p%s -rsites/%s/database.sql %s", drush_get_option('db_host'), drush_get_option('db_user'),drush_get_option('db_passwd'), $url, drush_get_option('db_name'));
# mixed copy-paste of drush_shell_exec and provision_shell_exec
$cmd = sprintf("mysqldump --defaults-file=/dev/fd/3 -rsites/%s/database.sql %s", escapeshellcmd($url), escapeshellcmd(drush_get_option('db_name')));
drush_log($cmd);
if (drush_get_context('DRUSH_VERBOSE') || drush_get_context('DRUSH_SIMULATE')) {
drush_print('Executing: ' . $cmd, $indent);
}
if (drush_get_context('DRUSH_SIMULATE')) {
return true;
}
# pipe handling code
# we go through all this trouble to hide the password from the commandline, it's the most secure way (apart from writing a temporary file, which would create conflicts in parallel runs)
$mycnf = sprintf('[client]
host=%s
user=%s
password=%s
', drush_get_option('db_host'), drush_get_option('db_user'), drush_get_option('db_passwd'));
$descriptorspec = array(
// 0 => array("pipe", "r"), // this would be stdin, but we don't need to input into mysqldump
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w"), // stderr is a file to write to
3 => array("pipe", "r"), // fd3 is our special file descriptor where we pass credentials
);
$process = proc_open($cmd, $descriptorspec, $pipes);
$output = array();
if (is_resource($process)) {
fwrite($pipes[3], $mycnf);
fclose($pipes[3]);
$output = array_filter(array_merge(explode("\n", stream_get_contents($pipes[1])), explode("\n", stream_get_contents($pipes[2]))));
// "It is important that you close any pipes before calling
// proc_close in order to avoid a deadlock"
fclose($pipes[1]);
fclose($pipes[2]);
$return_value = proc_close($process);
} else {
// XXX: failed to execute? unsure when this happens
$return_value = -1;
}
# resuming drush_exec copy/paste
$indent = 0;
_drush_shell_exec_output_set($output);
if (drush_get_context('DRUSH_VERBOSE')) {
foreach ($output as $line) {
drush_print($line, $indent + 2);
}
}
$result = ($return_value == 0);
if (!$result && !drush_get_option('force', false)) {
drush_set_error('PROVISION_BACKUP_FAILED', dt("Could not back up sites directory for drupal"));
}
......
......@@ -162,10 +162,41 @@ function _provision_mysql_import_dump($dump_file, $db_name, $db_user, $db_passwd
dt('The database dump at @path could not be read.'),
'PROVISION_DB_DUMP_NOT_READABLE');
if ($readable) {
drush_log(sprintf("Importing database using command: mysql -u%s -p%s -h%s %s < %s",
$db_user, $db_passwd, $db_host, $db_name, $dump_file));
if (!provision_shell_exec("mysql -u%s -p%s -h%s %s < %s", $db_user, $db_passwd, $db_host, $db_name, $dump_file )) {
drush_set_error('PROVISION_DB_IMPORT_FAILED', dt("Database import failed: %output", array('%output' => join("\n", drush_shell_exec_output()))));
$cmd = sprintf("mysql --defaults-file=/dev/fd/3 %s", escapeshellcmd($db_name));
drush_log(sprintf("Importing database using command: %s", $cmd));
# pipe handling code, this is inspired by drush_provision_mysql_pre_provision_backup()
# we go through all this trouble to hide the password from the commandline, it's the most secure way (apart from writing a temporary file, which would create conflicts in parallel runs)
$mycnf = sprintf('[client]
host=%s
user=%s
password=%s
', $db_host, $db_user, $db_passwd);
$descriptorspec = array(
0 => array("file", $dump_file, "r"),
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w"), // stderr is a file to write to
3 => array("pipe", "r"), // fd3 is our special file descriptor where we pass credentials
);
$process = proc_open($cmd, $descriptorspec, $pipes);
$output = "";
if (is_resource($process)) {
fwrite($pipes[3], $mycnf);
fclose($pipes[3]);
$output = stream_get_contents($pipes[1]) . stream_get_contents($pipes[2]);
// "It is important that you close any pipes before calling
// proc_close in order to avoid a deadlock"
fclose($pipes[1]);
fclose($pipes[2]);
$return_value = proc_close($process);
} else {
// XXX: failed to execute? unsure when this happens
$return_value = -1;
}
if ($return_value != 0) {
drush_set_error('PROVISION_DB_IMPORT_FAILED', dt("Database import failed: %output", array('%output' => $output)));
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment