Quote command-line parameters

Fix #77

Author: simonhammes

scheduler/app/database/init_db.py

@@ -1,4 +1,5 @@
 import os
+import shlex
 import time
 import pymysql
 
@@ -42,16 +43,16 @@ def wait_for_mysql():
 
 if db_user == "root":
     sql = 'mysql -h %s -u%s -p%s -e "CREATE DATABASE IF NOT EXISTS %s;"' % (
-        DB_HOST,
-        db_user,
-        db_passwd,
+        shlex.quote(DB_HOST),
+        shlex.quote(db_user),
+        shlex.quote(db_passwd),
         DATABASE_NAME,
     )
     os.system(sql)
 sql = "mysql -h %s -u%s -p%s %s </opt/scheduler/database/initial_tables.sql" % (
-    DB_HOST,
-    db_user,
-    db_passwd,
+    shlex.quote(DB_HOST),
+    shlex.quote(db_user),
+    shlex.quote(db_passwd),
     DATABASE_NAME,
 )
 os.system(sql)

scheduler/app/upgrade/upgrade.py

@@ -7,6 +7,7 @@
 
 import glob
 import os
+import shlex
 from os.path import basename, join
 from sqlalchemy import text
 from datetime import datetime
@@ -79,11 +80,11 @@ def run_script_and_update_version_stamp(script, new_version):
     os.system(
         "mysql -h %(db_host)s -u%(db_user)s -p%(db_passwd)s %(database)s < %(script)s"
         % {
-            "db_host": DB_HOST,
-            "db_user": db_user,
-            "db_passwd": db_passwd,
-            "database": DATABASE_NAME,
-            "script": script,
+            "db_host": shlex.quote(DB_HOST),
+            "db_user": shlex.quote(db_user),
+            "db_passwd": shlex.quote(db_passwd),
+            "database": shlex.quote(DATABASE_NAME),
+            "script": shlex.quote(script),
         }
     )
     update_version_stamp(new_version)