escaping password for Postgress connection

[jnoortheen]

I understand the reason behind this escaping, but this creates problem for passwords with special characters like get_escaped_command_arg("pass!word") -> "'pass!word'"

That extra pair of quotes make the command fail. Is it possible to remove the line of code safely?

Location of the code: dbbackup/db/postgresql.py:19

[JamesHannon]

Just ran into this issue myself ... specifically Windows 10. I don't experience it at all in my Unix/Linux system.

I solved it by using

def get_escaped_command_arg(arg):
    return arg if os.name == 'nt' else quote(arg)

Line 427/428 in dbbackup.utils.py

[adi-]

Doesn't work. What the quote function returns is i.e. {'PGPASSWORD': "'my_password'"} which fails to authenticate

[adi-]

What I suspect is env variable is already escaped with double quotes. I guess there shouldn't be get_escaped_command_arg(arg) used here https://github.com/django-dbbackup/django-dbbackup/blob/master/dbbackup/db/postgresql.py#L19

[silviogutierrez]

I thought this was related to special characters, but it seems like this actually adds quotes to any password and thus all Postgres passwords fail? Could that be the case?

[silviogutierrez]

Upon more research, that's almost certainly the case: this code:

https://docs.python.org/3/library/shlex.html#shlex.quote

is meant to be used in command arguments, not as an environment variable. Because we're setting an environment variable, the quotes are interpreted literally.

I'm pretty sure this means Postgres authentication is entirely broken right now, which is surprising since this is a pretty popular library.

Of course, up until recently, I had no password in Postgres as it was a local db.

Hope that helps someone. Great library nonetheless!

[jonathan-s]

@silviogutierrez Do you have a chance to verify if that's the case?

but it seems like this actually adds quotes to any password and thus all Postgres passwords fail?

[silviogutierrez]

@jonathan-s : yes, that's the case. I fixed it in my Docker builds by running this beauty:

# See: https://github.com/django-dbbackup/django-dbbackup/issues/301
RUN sed -i "s/utils\.get_escaped_command_arg(self\.settings\['PASSWORD'\])/self.settings['PASSWORD']/" /usr/local/lib/python3.8/site-packages/dbbackup/db/postgresql.py

[jonathan-s]

Thanks! @silviogutierrez I'll make sure that this gets fixed in the next release!

[jonathan-s]

@silviogutierrez Do you think you could try current master and see if you see this issue? I think this should be fixed.

[jonathan-s]

Should be fixed in #361, if you have any issues in current master let me know and we'll sort this out.

[silviogutierrez]

@jonathan-s : confirmed, it works. Thanks for your work on this library.