From bc9be0d576bdd8ba61a481eb2f06802689a9bcb3 Mon Sep 17 00:00:00 2001
From: Jerome Charaoui <jerome@riseup.net>
Date: Fri, 16 Mar 2018 16:52:39 -0400
Subject: [PATCH] Attempt to sanitize the database identifiers

Removing the quote and semicolon characters should be sufficient to
prevent breaking out of the shell command, but this may need reviewed
by someone more knowlegeable in shell scripting.
---
 handlers/mysql.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/handlers/mysql.in b/handlers/mysql.in
index a719ad6..e793151 100644
--- a/handlers/mysql.in
+++ b/handlers/mysql.in
@@ -255,6 +255,9 @@ then
 
    for db in $databases
    do
+      # Sanitize database name
+      db=$(echo $db | tr -d \'\;)
+
       DUMP_BASE="$MYSQLDUMP $defaultsfile $sqldumpoptions"
 
       # Dumping structure and data
-- 
GitLab