BUG#36476195: Incorrect escaping in pure Python mode if sql_mode includes NO_BACKSLASH_ESCAPES

SubCoder1 · SubCoder1 · commit 1e799824c308 · 2024-04-23T15:38:32.000+05:30
This patch fixes the issue by adding proper conditional checks during statement conversions
to check if NO_BACKSLASH_ESCAPES is included with/without other options in the sql_mode
parameter and ensure correct string escaping is being done during conversion.

Change-Id: I71372b881cd163be7714cf30c600fcafe976602c
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -8,6 +8,11 @@ Copyright (c) 2009, 2024, Oracle and/or its affiliates.
 Full release notes:
  http://dev.mysql.com/doc/relnotes/connector-python/en/
 
+v9.0.0
+======
+
+- BUG#36476195: Incorrect escaping in pure Python mode if sql_mode includes NO_BACKSLASH_ESCAPES
+
 v8.4.0
 ======
 
diff --git a/mysql-connector-python/lib/mysql/connector/aio/abstracts.py b/mysql-connector-python/lib/mysql/connector/aio/abstracts.py
@@ -190,6 +190,7 @@ def __init__(
         converter_str_fallback: bool = False,
         connection_timeout: int = DEFAULT_CONFIGURATION["connect_timeout"],
         unix_socket: Optional[str] = None,
+        use_unicode: Optional[bool] = True,
         ssl_ca: Optional[str] = None,
         ssl_cert: Optional[str] = None,
         ssl_key: Optional[str] = None,
@@ -254,9 +255,9 @@ def __init__(
         self.raise_on_warnings: bool = raise_on_warnings
         self._buffered: bool = buffered
         self._raw: bool = raw
+        self._use_unicode: bool = use_unicode
         self._have_next_result: bool = False
         self._unread_result: bool = False
-        self._use_unicode: bool = True
         self._in_transaction: bool = False
         self._oci_config_file: Optional[str] = None
         self._oci_config_profile: Optional[str] = None
diff --git a/mysql-connector-python/lib/mysql/connector/aio/cursor.py b/mysql-connector-python/lib/mysql/connector/aio/cursor.py
@@ -172,19 +172,20 @@ async def close(self) -> bool:
         self._connection = None
         return True
 
-    def _process_params_dict(
+    async def _process_params_dict(
         self, params: ParamsDictType
     ) -> Dict[bytes, Union[bytes, Decimal]]:
         """Process query parameters given as dictionary."""
         res: Dict[bytes, Any] = {}
         try:
+            sql_mode = await self._connection.get_sql_mode()
             to_mysql = self._connection.converter.to_mysql
             escape = self._connection.converter.escape
             quote = self._connection.converter.quote
             for key, value in params.items():
                 conv = value
                 conv = to_mysql(conv)
-                conv = escape(conv)
+                conv = escape(conv, sql_mode)
                 if not isinstance(value, Decimal):
                     conv = quote(conv)
                 res[key.encode()] = conv
@@ -194,17 +195,18 @@ def _process_params_dict(
             ) from err
         return res
 
-    def _process_params(
+    async def _process_params(
         self, params: ParamsSequenceType
     ) -> Tuple[Union[bytes, Decimal], ...]:
         """Process query parameters."""
         result = params[:]
         try:
+            sql_mode = await self._connection.get_sql_mode()
             to_mysql = self._connection.converter.to_mysql
             escape = self._connection.converter.escape
             quote = self._connection.converter.quote
             result = [to_mysql(value) for value in result]
-            result = [escape(value) for value in result]
+            result = [escape(value, sql_mode) for value in result]
             result = [
                 quote(value) if not isinstance(params[i], Decimal) else value
                 for i, value in enumerate(result)
@@ -412,7 +414,7 @@ def _check_executed(self) -> None:
         if self._executed is None:
             raise InterfaceError(ERR_NO_RESULT_TO_FETCH)
 
-    def _prepare_statement(
+    async def _prepare_statement(
         self,
         operation: StrOrBytes,
         params: Union[Sequence[Any], Dict[str, Any]] = (),
@@ -437,9 +439,11 @@ def _prepare_statement(
 
         if params:
             if isinstance(params, dict):
-                stmt = _bytestr_format_dict(stmt, self._process_params_dict(params))
+                stmt = _bytestr_format_dict(
+                    stmt, await self._process_params_dict(params)
+                )
             elif isinstance(params, (list, tuple)):
-                psub = _ParamSubstitutor(self._process_params(params))
+                psub = _ParamSubstitutor(await self._process_params(params))
                 stmt = RE_PY_PARAM.sub(psub, stmt)
                 if psub.remaining != 0:
                     raise ProgrammingError(
@@ -461,7 +465,7 @@ async def _fetch_warnings(self) -> Optional[List[WarningType]]:
             result = await cur.fetchall()
         return result if result else None  # type: ignore[return-value]
 
-    def _batch_insert(
+    async def _batch_insert(
         self, operation: str, seq_params: Sequence[ParamsSequenceOrDictType]
     ) -> Optional[bytes]:
         """Implements multi row insert"""
@@ -496,9 +500,11 @@ def remove_comments(match: re.Match) -> str:
             for params in seq_params:
                 tmp = fmt
                 if isinstance(params, dict):
-                    tmp = _bytestr_format_dict(tmp, self._process_params_dict(params))
+                    tmp = _bytestr_format_dict(
+                        tmp, await self._process_params_dict(params)
+                    )
                 else:
-                    psub = _ParamSubstitutor(self._process_params(params))
+                    psub = _ParamSubstitutor(await self._process_params(params))
                     tmp = RE_PY_PARAM.sub(psub, tmp)
                     if psub.remaining != 0:
                         raise ProgrammingError(
@@ -686,7 +692,7 @@ async def execute(
         await self._connection.handle_unread_result()
         await self._reset_result()
 
-        stmt = self._prepare_statement(operation, params)
+        stmt = await self._prepare_statement(operation, params)
         self._executed = stmt
 
         try:
@@ -719,7 +725,7 @@ async def executemulti(
         await self._connection.handle_unread_result()
         await self._reset_result()
 
-        stmt = self._prepare_statement(operation, params)
+        stmt = await self._prepare_statement(operation, params)
         self._executed = stmt
         self._executed_list = []
 
@@ -752,7 +758,7 @@ async def executemany(
             if not seq_params:
                 self._rowcount = 0
                 return None
-            stmt = self._batch_insert(operation, seq_params)
+            stmt = await self._batch_insert(operation, seq_params)
             if stmt is not None:
                 self._executed = stmt
                 return await self.execute(stmt)
diff --git a/mysql-connector-python/lib/mysql/connector/conversion.py b/mysql-connector-python/lib/mysql/connector/conversion.py
@@ -38,7 +38,13 @@
 from decimal import Decimal
 from typing import Any, Callable, Dict, List, Optional, Set, Tuple, Union
 
-from .constants import MYSQL_VECTOR_TYPE_CODE, CharacterSet, FieldFlag, FieldType
+from .constants import (
+    MYSQL_VECTOR_TYPE_CODE,
+    CharacterSet,
+    FieldFlag,
+    FieldType,
+    SQLMode,
+)
 from .custom_types import HexLiteral
 from .types import (
     DescriptionType,
@@ -141,7 +147,7 @@ def to_python(
     @staticmethod
     def escape(
         value: Any,
-        sql_mode: Optional[str] = None,  # pylint: disable=unused-argument
+        sql_mode: Optional[Union[str, bytes]] = None,  # pylint: disable=unused-argument
     ) -> Any:
         """Escape buffer for sending to MySQL"""
         return value
@@ -179,16 +185,19 @@ def __init__(
         ] = {}
 
     @staticmethod
-    def escape(value: Any, sql_mode: Optional[str] = None) -> Any:
+    def escape(value: Any, sql_mode: Optional[Union[str, bytes]] = None) -> Any:
         """
         Escapes special characters as they are expected to by when MySQL
         receives them.
         As found in MySQL source mysys/charset.c
 
         Returns the value if not a string, or the escaped string.
         """
+        if isinstance(sql_mode, bytes):
+            # sql_mode is returned as bytes if use_unicode is set to False during connect()
+            sql_mode = sql_mode.decode()
         if isinstance(value, (bytes, bytearray)):
-            if sql_mode == "NO_BACKSLASH_ESCAPES":
+            if sql_mode is not None and SQLMode.NO_BACKSLASH_ESCAPES in sql_mode:
                 return value.replace(b"'", b"''")
             value = value.replace(b"\\", b"\\\\")
             value = value.replace(b"\n", b"\\n")
@@ -197,7 +206,7 @@ def escape(value: Any, sql_mode: Optional[str] = None) -> Any:
             value = value.replace(b"\042", b"\134\042")  # double quotes
             value = value.replace(b"\032", b"\134\032")  # for Win32
         elif isinstance(value, str) and not isinstance(value, HexLiteral):
-            if sql_mode == "NO_BACKSLASH_ESCAPES":
+            if sql_mode is not None and SQLMode.NO_BACKSLASH_ESCAPES in sql_mode:
                 return value.replace("'", "''")
             value = value.replace("\\", "\\\\")
             value = value.replace("\n", "\\n")
diff --git a/mysql-connector-python/tests/test_bugs.py b/mysql-connector-python/tests/test_bugs.py
