CRITICAL FIX - SQL Injection Vulnerability (Lines 1143, 1154, 1191, 1198):
- Database names were previously unescaped in SQL WHERE clauses
- Attacker could inject SQL via database name parameter
- Example exploit: 'mydb' OR '1'='1' would return all databases
- Fixed: Wrapped $dbname identifier with backticks in all SQL queries
- Backticks are the proper MySQL syntax for quoting identifiers
HIGH FIX - Recovery Mode Input Validation (Lines 1619-1641):
- User input for recovery mode (0-6) was not validated
- Could accept invalid values like "abc", "999", "-1"
- These would cause MySQL startup to fail with confusing errors
- Fixed: Added numeric range validation [[ recovery_mode -ge 0 && -le 6 ]]
- Invalid input now shows clear error message
Impact: Eliminates both information disclosure (SQL injection) and DoS risks
from invalid recovery mode values. Script is now significantly more robust.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
1. Remove dead code: Broken socket safety check (line 882)
- The condition [ "\$datadir/socket.mysql" = "/var/lib/mysql/mysql.sock" ]
would never be true and is redundant (real check exists at line 864)
- Removed 4 lines of dead code
2. Simplify confirmation logic (line 1660)
- Was: if [ "\$confirm" = "0" ] || [ "\$confirm" != "y" ]
- Now: if [ "\$confirm" != "y" ]
- More readable and clearer intent (only "y" proceeds)
3. Quote unquoted variable in kill command (line 1000)
- Was: kill -0 \$pid
- Now: kill -0 "\$pid"
- Prevents word splitting if PID contains spaces
4. Clarify script flow (line 740-742)
- Added comment explaining why script exits after show_recovery_options()
- Helps users understand they must re-run script with new recovery level
- Prevents confusion about script termination
This is intentional design: show recovery options, user manually selects
level, user re-runs script. This prevents blind escalation through recovery
levels without explicit user approval at each step (safety consideration).
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
MAJOR FIX: The error detection function was calculating the correct
recovery level, but the show_recovery_options() function was NOT using
the results - it was still using the old level-based progression logic.
Changes:
1. Missing files section (lines 435-445):
- Now calls detect_recovery_level_from_errors()
- Displays "Error analysis recommends: Force Recovery Level X"
- Shows the recommended level to user prominently
2. Redo log incompatibility section (lines 568-615):
- Now calls detect_recovery_level_from_errors()
- Shows "Error analysis recommends: Force Recovery Level X"
- Correctly uses Level 5 (not hardcoded Level 6)
- Explains consequences of that level
3. Corruption section (lines 599-675):
- Now uses recommended_level to determine what to display
- Shows "Try Force Recovery Level X" based on detection
- Only shows escalation levels up to recommended_level
- Marks the detected level with "RECOMMENDED" indicator
Impact:
- Error detection now drives the actual user-facing recommendations
- Recovery level selection is now truly intelligent, not just level progression
- User gets the right recommendation based on error TYPE, not guesswork
- Escalation happens only if user retries at the same level
All 3 error paths now properly use error-based detection results.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Apply proper shutdown validation to pre-startup cleanup (line 881-899)
If a stale socket exists, wait for it to be removed instead of just
sleeping 2 seconds. Uses same pattern as stop_second_instance().
- Apply proper shutdown validation to error path (line 937-960)
When InnoDB errors are detected, use validated shutdown with socket
removal verification instead of fire-and-forget mysqladmin call.
- All 4 shutdown paths now consistently:
1. Send graceful shutdown
2. Wait for socket file to disappear
3. Clean up stale socket/lock files
4. Verify process termination
This ensures no stale processes/sockets remain that could cause crashes
on subsequent script runs.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Fix recovery level selection logic: Now uses error-type-based detection instead of
level-based progression. Added detect_recovery_level_from_errors() function that
maps specific error patterns to appropriate recovery levels (missing files → Level 1,
redo incompatibility → Level 5, corruption → Levels 1/4/6 with escalation, etc.)
- Fix shutdown/reset crashes: Improved stop_second_instance() and cleanup_on_exit()
trap handlers with proper validation. Now verifies socket removal and process
termination before marking instance as stopped. Implements graceful shutdown with
force-kill fallback if needed. Prevents stale sockets/locks that cause crashes
on subsequent runs.
- Fix while loop condition: Removed buggy [ -n "$count" ] check that was always true.
Loop now correctly terminates based on numeric condition [ "$count" -lt 30 ].
- Integrate error-based recovery recommendations: Modified show_recovery_options()
to call detect_recovery_level_from_errors() early and display both error type
and recommended recovery level to user. Provides intelligent, error-specific
guidance instead of generic level progression.
All changes validated:
✓ Syntax check: bash -n passing
✓ QA scan: No new HIGH issues introduced (2 MEDIUM, 1 LOW are pre-existing)
✓ Script still handles all recovery scenarios
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Added proper null/empty checks and variable quoting in 3 files:
1. wordpress-cron-manager.sh (2 issues):
- Added validation for $site_path before use
- Quoted variable in cron command to prevent word splitting
- Lines 446-449: Check if path is empty or invalid before processing
2. malware-scanner.sh (1 issue):
- Added safety check for $SCAN_DIR before suggesting rm -rf command
- Prevents dangerous rm operations if variable is empty or root
- Line 1583-1585: Guard against accidental deletions
3. mysql-restore-to-sql.sh (2 issues):
- Quoted $datadir in echo statements showing manual commands
- Lines 426, 441, 444, 447: Proper quoting in examples
Impact: Prevents potential issues from empty/undefined variables
Automatically detects when missing tablespace errors are unrelated to the
selected database and recommends Force Recovery Level 1.
Changes:
- Added selected_database parameter to show_recovery_options()
- Detects if missing files are from selected DB vs other DBs
- Shows clear recommendation when missing files are ONLY from other databases
- Explains that Force Recovery Level 1 is safe and correct for selective restore
- Prevents user confusion when restoring single DB from full backup
Use case:
When user restores ibdata1 + single database (e.g., amea_wp) from a full backup,
ibdata1 contains metadata for all databases. Script now detects this and says:
'SMART DETECTION: Missing files are from OTHER databases, not amea_wp'
'Your selected database amea_wp appears to have all files!'
'RECOMMENDED ACTION: Use Force Recovery Level 1'
This eliminates confusion and guides users to the correct solution.
The intelligent recovery system wasn't detecting missing .ibd files because
MariaDB/MySQL error format uses 'was not found at' instead of 'missing'.
Changes:
- Added 'was not found at' pattern to grep searches (3 locations)
- Enhanced tablespace extraction to parse './db/table.ibd' format
- Extracts database/table from error: 'Tablespace N was not found at ./db/table.ibd'
- Falls back to quoted tablespace name extraction if new pattern doesn't match
Now when script detects missing .ibd files it will:
- Show DIAGNOSIS: Missing or unopenable tablespace files
- List exact missing tables with database names
- Provide copy-paste ready cp commands
- Show all recovery options instead of generic troubleshooting
- Removed control panel path documentation from script header
(system-detect.sh already documents and shows this when it runs)
- Changed detect_control_panel from silent (>/dev/null) to visible output
so users see what control panel was detected and which paths will be used
- Added comment explaining SYS_USER_HOME_BASE usage
Added comprehensive documentation to script header:
- Lists all 4 control panel paths (cPanel, Plesk, InterWorx, standalone)
- References source: lib/system-detect.sh -> SYS_USER_HOME_BASE
- Documents InterWorx special case (/chroot/home vs /home symlink)
- Shows restore directory and SQL output directory formats
- Makes it clear where paths come from for maintenance
Changes to modules/backup/mysql-restore-to-sql.sh:
Multi-Control Panel Support:
- Source system-detect.sh to detect control panel
- Use SYS_USER_HOME_BASE for restore directory paths
- cPanel/InterWorx/Standalone: /home
- Plesk: /var/www/vhosts
- Fixes issue where InterWorx/Plesk don't have /home directories
SQL Output Location Fix:
- Changed output from current working directory to restore directory
- SQL files now saved to parent of TEMP_DATADIR
Example: /home/temp/restore20251210/ (not /root/)
- Prevents cluttering control panel system directories
- Added print_info showing exact save location before dump
Safety Enhancements:
- Added check_disk_space() function (validates 2x required space)
- Added warn_force_recovery() function (levels 5-6 require risk acknowledgment)
- Integrated disk space check before dump creation
- Integrated force recovery warnings in step4_configure_options()
- Added cleanup trap handler for Ctrl+C/interruption
- Critical safety check prevents using /var/lib/mysql as restore dir
Changes to REFDB_FORMAT.txt:
- Documented multi-control panel support
- Added control_panel_paths section with all 4 panel paths
- Updated output location documentation
- Added safety features documentation
- Updated features list
QA Status: ✅ PASSED
- 0 CRITICAL issues
- 0 HIGH issues
- Syntax validated
- All safety checks functional
cschantz