Bug #91167

Hosteurope database name not valid

Added by Tobias Musholt 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Should have
Category:
Database API (Doctrine DBAL)
Target version:
-
Start date:
2020-04-22
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hosteurope database name are generated with hyphen (-) and are not valid. Please add the hyphen into the regular expression.

typo3_src-10.4.0/typo3/sysext/install/Classes/SystemEnvironment/DatabaseCheck/Platform/AbstractPlatform.php - Zeile 67:

old/wrong:
return strlen($databaseName) <= static::SCHEMA_NAME_MAX_LENGTH && preg_match('/^[a-zA-Z0-9\$_]*$/', $databaseName);

new/currenty:
return strlen($databaseName) <= static::SCHEMA_NAME_MAX_LENGTH && preg_match('/^[a-zA-Z0-9\$-_]*$/', $databaseName);

#1

Updated by Michael Stucki 7 months ago

  • Project changed from forge.typo3.org to TYPO3 Core
  • Category deleted (Server Administration)
  • Target version deleted (0.1)
  • TYPO3 Version set to 10

Wrong project.

#3

Updated by Manuel Selbach 7 months ago

  • Category set to Database API (Doctrine DBAL)
  • Assignee set to Manuel Selbach
#4

Updated by Tobias Musholt 7 months ago

Michael Stucki wrote:

see https://mariadb.com/kb/en/identifier-names/

Unfortunately, this does not work because you can only select the database using a select box and do not type in the database name directly.

#5

Updated by Oliver Hader 7 months ago

Tobias: RegExp @preg_match('/^[a-zA-Z0-9\$-_]*$/') is probably not the intended declaration since the last part means "$ to _" accidentally including - as well...

When allowing more characters (\x01-\xf7), I'm not sure which new security aspects this might add - this should be evaluated carefully.
Tamper instructions of SQLmap might be a good starting point for that (https://github.com/sqlmapproject/sqlmap/tree/master/tamper)

#6

Updated by Tobias Musholt 7 months ago

Oliver Hader wrote:

Tobias: RegExp @preg_match('/^[a-zA-Z0-9\$-_]*$/') is probably not the intended declaration since the last part means "$ to _" accidentally including - as well...

Sorry, I am not very familiar with regular expressions!

When allowing more characters (\x01-\xf7), I'm not sure which new security aspects this might add - this should be evaluated carefully.
Tamper instructions of SQLmap might be a good starting point for that (https://github.com/sqlmapproject/sqlmap/tree/master/tamper)

I can understand the risk. Currently I only have the problem that one of the largest hosters (HostEurope) in Germany puts a hyphen ('-') in all its database name
(`db[customerNumber]-[name]` (e.g. `db1234567-typo3`)) and I cannot install TYPO3 and HostEurope says that this is a problem with TYPO3 and not with HostEurope. :-(

#7

Updated by Gerrit Code Review 7 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64312

#8

Updated by Gerrit Code Review 7 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64312

#9

Updated by Michael Stucki 7 months ago

see https://mariadb.com/kb/en/identifier-names/

The reason why I mentioned this is that according to this spec, the minus character is not allowed in unquoted database names.

One could argue that database names should just be quoted then, but that's a major change that can't be changed so quickly...

I see that Contao had the same issue, but their fix is not the way how I like it to be: They just removed the whole validity check... :-(
https://github.com/contao/core-bundle/issues/593

My suggestion is to not do anything here. Instead, the database name should be specified manually. After all, that should work but is not supported, so you use it at your own risk.

#10

Updated by Tobias Musholt 7 months ago

Michael Stucki wrote:

Instead, the database name should be specified manually.

If I received TYPO3 like this, I have no problem with it, but at the moment I am not scared how and where I can hear the database names manually during installation?!? Did I miss something?

#12

Updated by Tobias Musholt 7 months ago

Michael Stucki wrote:

Just set it in LocalConfiguration.php, see https://docs.typo3.org/m/typo3/reference-coreapi/10.4/en-us/ApiOverview/Database/Configuration/Index.html.

I've been doing TYPO3 for 10 years, but that was new! Thank you! ;-)

#13

Updated by Tobias Musholt 7 months ago

Tobias Musholt wrote:

Michael Stucki wrote:

Just set it in LocalConfiguration.php, see https://docs.typo3.org/m/typo3/reference-coreapi/10.4/en-us/ApiOverview/Database/Configuration/Index.html.

I've been doing TYPO3 for 10 years, but that was new! Thank you! ;-)

Unfortunately, that didn't work.

I think I was also misunderstood, but I am concerned with the installation of a TYPO3 system and not with the general operation where I can change the name of the database.

During the TYPO3 installation, I can unfortunately only select the database name using a select box and this is then rejected by the system because it contains a hyphen.

#14

Updated by Michael Stucki 7 months ago

Yes the installer does not show it because, as I understand it, this is not supported as of now. However, you can skip this step by setting the DB configuration manually as explained above... What else do you need?

#15

Updated by Tobias Musholt 7 months ago

Michael Stucki wrote:

Yes the installer does not show it because, as I understand it, this is not supported as of now. However, you can skip this step by setting the DB configuration manually as explained above... What else do you need?

I have now made various attempts, but I do not know how I should enter the data manually during an installation or how I should be able to skip this?! Especially since the question arises where TYPO3 should save the database tables from without a functioning database access!?

#16

Updated by Christian Giegler 7 months ago

Michael Stucki wrote:

see https://mariadb.com/kb/en/identifier-names/

The reason why I mentioned this is that according to this spec, the minus character is not allowed in unquoted database names.

One could argue that database names should just be quoted then, but that's a major change that can't be changed so quickly...

I see that Contao had the same issue, but their fix is not the way how I like it to be: They just removed the whole validity check... :-(
https://github.com/contao/core-bundle/issues/593

My suggestion is to not do anything here. Instead, the database name should be specified manually. After all, that should work but is not supported, so you use it at your own risk.

Well, hyphens are a valid character for quoted database names, so switching from unquoted to quoted is the best choice in the future to support all users.
I think a simple change to display a warning that the name is not valid for unquoted databases and an option to "ignore the warning and continue" would solve the problem for now.
Sure some pro's can edit their localconfig.php while installing typo3 so it works, but that can't be expected from a "default" user.

#17

Updated by Manuel Selbach 7 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#18

Updated by Benni Mack 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF