This would be in the Bug Tracker, but the bug tracker
requires a login.
In lib/configure.pm:490, and other places in that file,
backticks are used to run shell commands that set up
the database. There are actually multiple problems with
- Using the MySQL admin password on a command line is
insecure. On some systems, it can be seen by other
users with the 'ps' command.
- If the password contains any shell metacharacters,
the shell command will fail, because backticks are
processed with "sh -c".
For MySQL, the best way to fix the bug is to connect to
the server directly through DBI and create the database
and database tables by sending SQL queries, the same
way that this is already done for MySQL on the Win32
platform. This fixes both the shell-metacharacter
problem and the security problem. Attached is a patch
against OS AllCommerce 1.2.3 that implements this fix.