Merge pull request #5855 from tractorcow/pulls/3.4/fix-mysql-privileges

BUG Fix permission checking code not correctly handling escaped SQL identifiers

dev/install/MySQLDatabaseConfigurationHelper.php

@@ -172,8 +172,10 @@ class MySQLDatabaseConfigurationHelper implements DatabaseConfigurationHelper {
 		if(!$this->checkValidDatabaseName($database)) return false;
 
 		// Escape all valid database patterns (permission must exist on all tables)
+		$sqlDatabase = addcslashes($database, '_%'); // See http://dev.mysql.com/doc/refman/5.7/en/string-literals.html
 		$dbPattern = sprintf(
-			'((%s)|(%s)|(%s))',
+			'((%s)|(%s)|(%s)|(%s))',
+			preg_quote("\"$sqlDatabase\".*"), // Regexp escape sql-escaped db identifier
 			preg_quote("\"$database\".*"),
 			preg_quote('"%".*'),
 			preg_quote('*.*')

tests/dev/MySQLDatabaseConfigurationHelperTest.php

@@ -74,6 +74,14 @@ class MySQLDatabaseConfigurationHelperTest extends SapphireTest {
 				. " WITH GRANT OPTION"
 		));
 
+		// Accept create on this database only
+		$this->assertNotEmpty($helper->checkDatabasePermissionGrant(
+			'database_name',
+			'create',
+			"GRANT ALL PRIVILEGES, CREATE ON \"database\\_name\".* TO 'root'@'localhost' IDENTIFIED BY PASSWORD 'XXXX'"
+				. " WITH GRANT OPTION"
+		));
+
 		// Accept create on any database (alternate wildcard syntax)
 		$this->assertNotEmpty($helper->checkDatabasePermissionGrant(
 			'database_name',