From bb2f90ee5bec712f3969e37bbcab0105319e7695 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Sun, 4 Dec 2016 10:25:48 -0800
Subject: [PATCH] Disallow backslash in passwords
 https://virtualmin.com/node/44451

---
 mysql/lang/en       | 1 +
 mysql/save_root.cgi | 1 +
 mysql/save_user.cgi | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/mysql/lang/en b/mysql/lang/en
index 55108b5e3..2bb8e58fe 100644
--- a/mysql/lang/en
+++ b/mysql/lang/en
@@ -299,6 +299,7 @@ user_priv_create_tablespace=Create Tablespace
 user_err=Failed to save user
 user_euser=Missing or invalid username
 user_ehost=Missing or invalid allow host(s)
+user_eslash=MySQL does not support a password containing a backslash
 user_ssl=Required certificate type
 user_cipher=SSL cipher
 user_ssl_=None
diff --git a/mysql/save_root.cgi b/mysql/save_root.cgi
index 9f5c098a8..3c0aec46f 100755
--- a/mysql/save_root.cgi
+++ b/mysql/save_root.cgi
@@ -9,6 +9,7 @@ $access{'perms'} == 1 || &error($text{'perms_ecannot'});
 # Validate inputs
 $in{'newpass1'} || &error($text{'root_epass1'});
 $in{'newpass1'} eq $in{'newpass2'} || &error($text{'root_epass2'});
+$in{'newpass1'} =~ /\\/ && &error($text{'user_eslash'});
 
 # Update MySQL
 $esc = &escapestr($in{'newpass1'});
diff --git a/mysql/save_user.cgi b/mysql/save_user.cgi
index 1b6907f09..876b7587c 100755
--- a/mysql/save_user.cgi
+++ b/mysql/save_user.cgi
@@ -19,6 +19,9 @@ else {
 		&error($text{'user_euser'});
 	$in{'host_def'} || $in{'host'} =~ /^\S+$/ ||
 		&error($text{'user_ehost'});
+	if ($in{'mysqlpass_mode'} == 0 && $in{'mysqlpas'} =~ /\\/) {
+		&error($text{'user_eslash'});
+		}
 
 	%perms = map { $_, 1 } split(/\0/, $in{'perms'});
 	@desc = &table_structure($master_db, 'user');