fix(security): robust version-agnostic password column detection (Issue #22)

- Refactored password column detection into a standalone sub.
- Implemented schema-based detection using information_schema.COLUMNS.
- Added regression test tests/repro_issue_22.t.
- Updated tests/test_issue_875.t mocks.
- Updated Changelog.

Author: jmrenouard

Changelog

@@ -1,5 +1,8 @@
-2.8.36 2026-02-02
+2.8.36 2026-02-13
 
+- fix: robust, version-agnostic detection of password column in mysql.user via schema inspection (Issue #22).
+- fix: correct regression in tests/test_issue_875.t by updating database mocks.
+- test: add comprehensive test suite for password column detection (tests/repro_issue_22.t).
 - fix: prevent creation of directory "0" when --dumpdir is not specified or set to 0 (Issue #20).
 - test: add reproduction test for Performance Schema disabled scenario (repro_pfs_disabled.t).
 - ci: fix Docker API mismatch in GitHub Actions by migrating to native services.

README.fr.md

@@ -56,7 +56,7 @@ Les résultats des tests sont disponibles ici uniquement pour les versions LTS 
 * Cluster Percona XtraDB (prise en charge complète)
 * Réplication MySQL (prise en charge partielle, pas d'environnement de test)
 
-Merci à [endoflife.date](endoflife.date)
+Merci à [endoflife.date](https://endoflife.date/)
 
 * Reportez-vous aux [versions prises en charge de MariaDB](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mariadb_support.md).
 * Reportez-vous aux [versions prises en charge de MySQL](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mysql_support.md).

README.it.md

@@ -56,7 +56,7 @@ I risultati dei test sono disponibili qui solo per LTS:
 * Cluster Percona XtraDB (supporto completo)
 * Replica MySQL (supporto parziale, nessun ambiente di test)
 
-Grazie a [endoflife.date](endoflife.date)
+Grazie a [endoflife.date](https://endoflife.date/)
 
 * Fare riferimento a [Versioni supportate di MariaDB](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mariadb_support.md).
 * Fare riferimento a [Versioni supportate di MySQL](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mysql_support.md).

README.md

@@ -56,7 +56,7 @@ Test result are available here for LTS only:
 * Percona XtraDB cluster (full support)
 * MySQL Replication (partial support, no test environment)
 
-Thanks to [endoflife.date](endoflife.date)
+Thanks to [endoflife.date](https://endoflife.date/)
 
 * Refer to [MariaDB Supported versions](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mariadb_support.md).
 * Refer to [MySQL Supported versions](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mysql_support.md).

README.ru.md

@@ -56,7 +56,7 @@ MySQLTuner нуждается в вас
 * Кластер Percona XtraDB (полная поддержка)
 * Репликация MySQL (частичная поддержка, нет тестовой среды)
 
-Спасибо [endoflife.date](endoflife.date)
+Спасибо [endoflife.date](https://endoflife.date/)
 
 * См. [Поддерживаемые версии MariaDB](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mariadb_support.md).
 * См. [Поддерживаемые версии MySQL](https://github.com/jmrenouard/MySQLTuner-perl/blob/master/mysql_support.md).

documentation/specifications/fix_password_column_detection.md

@@ -0,0 +1,34 @@
+# Specification: Robust Password Column Detection in mysqltuner.pl
+
+## Problem
+
+`mysqltuner.pl` fails to detect the correct password column (`password` vs `authentication_string`) on MySQL 8.0+ because its detection logic is hardcoded for specific versions (5.7, MariaDB 10.2-10.5). This leads to failing SQL queries like:
+`SELECT ... FROM mysql.user WHERE (password = '' OR password IS NULL)`
+on versions where the `password` column no longer exists.
+
+## Requirements
+
+1. **Version Agnostic**: Detection must rely on actual schema inspection of `mysql.user` rather than hardcoded version numbers.
+2. **Compatibility**:
+    - Support legacy `Password` (capital P) and modern `authentication_string` columns.
+    - Handle instances where both might exist (e.g., during some MariaDB upgrades).
+    - Stay agnostic to exact casing of the `Password` column.
+3. **Stability**:
+    - Fail gracefully if no known authentication column is found.
+    - Ensure the resulting SQL remains safe for all supported versions.
+
+## Proposed Logic
+
+1. Retrieve columns from `mysql.user` using `select_table_columns_db('mysql', 'user')`.
+2. Check for `authentication_string` and `password` (case-insensitive).
+3. Set `$PASS_COLUMN_NAME`:
+    - If both exist: use `IF(plugin='mysql_native_password', authentication_string, password)`.
+    - If only `authentication_string` exists: use `authentication_string`.
+    - If only `password` exists: use the exact name found in the schema (e.g., `Password`).
+4. If none exist, log an info message and return early (skip password-related security checks).
+
+## Success Criteria
+
+- `mysqltuner.pl` executes security recommendations without SQL errors on MySQL 8.0.
+- `mysqltuner.pl` still works correctly on legacy MySQL 5.5/5.6.
+- `mysqltuner.pl` works correctly on MariaDB 10.11+.

mysqltuner.pl

@@ -2167,6 +2167,34 @@ sub select_table_columns_db {
     );
 }
 
+sub get_password_column_name {
+    my @mysql_user_columns = select_table_columns_db( 'mysql', 'user' );
+    my $pass_column        = '';
+    my $auth_column        = '';
+
+    if ( grep { /^authentication_string$/msx } @mysql_user_columns ) {
+        $auth_column = 'authentication_string';
+    }
+
+    # Case-insensitive match for Password/password
+    my @pass_matches = grep { lc($_) eq 'password' } @mysql_user_columns;
+    if (@pass_matches) {
+        $pass_column = $pass_matches[0];
+    }
+
+    if ( $auth_column && $pass_column ) {
+        return "IF(plugin='mysql_native_password', $auth_column, $pass_column)";
+    }
+    elsif ($auth_column) {
+        return $auth_column;
+    }
+    elsif ($pass_column) {
+        return $pass_column;
+    }
+
+    return '';
+}
+
 sub get_tuning_info {
     my @infoconn = select_array "\\s";
     my ( $tkey, $tval );
@@ -3359,36 +3387,11 @@ sub security_recommendations {
 
     infoprint "$myvar{'version_comment'} - $myvar{'version'}";
 
-    my $PASS_COLUMN_NAME = 'password';
+    my $PASS_COLUMN_NAME = get_password_column_name();
 
-    # New table schema available since mysql-5.7 and mariadb-10.2
-    # But need to be checked
-    if (
-        ( $myvar{'version'} =~ /5\.7/ )
-        or (
-            ( $myvar{'version'} =~ /10\.[2-5]\..*/ )
-            and (  ( $myvar{'version'} =~ /MariaDB/i )
-                or ( $myvar{'version_comment'} =~ /MariaDB/i ) )
-        )
-      )
-    {
-        my $result_pass = execute_system_command(
-"$mysqlcmd $mysqllogin -Bse \"SELECT 1 FROM information_schema.columns WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME = 'password'\" 2>>$devnull"
-        );
-        my $result_auth = execute_system_command(
-"$mysqlcmd $mysqllogin -Bse \"SELECT 1 FROM information_schema.columns WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME = 'authentication_string'\" 2>>$devnull"
-        );
-        if ( $result_pass && $result_auth ) {
-            $PASS_COLUMN_NAME =
-"IF(plugin='mysql_native_password', authentication_string, password)";
-        }
-        elsif ($result_auth) {
-            $PASS_COLUMN_NAME = 'authentication_string';
-        }
-        elsif ( !$result_pass ) {
-            infoprint "Skipped due to none of known auth columns exists";
-            return;
-        }
+    if ( $PASS_COLUMN_NAME eq '' ) {
+        infoprint "Skipped due to none of known auth columns exists";
+        return;
     }
     debugprint "Password column = $PASS_COLUMN_NAME";
 

tests/repro_issue_22.t

@@ -0,0 +1,59 @@
+use strict;
+use warnings;
+use Test::More;
+use File::Basename;
+use File::Spec;
+use Cwd 'abs_path';
+
+# Load mysqltuner.pl as a library
+my $script_dir = dirname(abs_path(__FILE__));
+my $script = abs_path(File::Spec->catfile($script_dir, '..', 'mysqltuner.pl'));
+require $script;
+
+# Mocking necessary database calls and variables
+no warnings 'redefine';
+
+my $mocked_columns = [];
+*main::select_table_columns_db = sub { return @$mocked_columns };
+*main::execute_system_command = sub { return "" }; # Dummy
+*main::subheaderprint = sub { };
+*main::infoprint = sub { };
+*main::goodprint = sub { };
+*main::badprint = sub { };
+*main::debugprint = sub { };
+*main::select_one = sub { return 0 };
+*main::select_array = sub { return () };
+*main::mysql_version_le = sub { return 0 };
+*main::mysql_version_ge = sub { return 1 };
+
+subtest 'Detection Logic - MySQL 5.5/5.6 (Password only)' => sub {
+    $mocked_columns = ['Host', 'User', 'Password', 'Select_priv'];
+    my $res = main::get_password_column_name();
+    is($res, 'Password', 'Detected Password (capital P)');
+};
+
+subtest 'Detection Logic - MySQL 5.5/5.6 (password lowercase)' => sub {
+    $mocked_columns = ['Host', 'User', 'password', 'Select_priv'];
+    my $res = main::get_password_column_name();
+    is($res, 'password', 'Detected password (lowercase)');
+};
+
+subtest 'Detection Logic - MySQL 8.0 (authentication_string only)' => sub {
+    $mocked_columns = ['Host', 'User', 'authentication_string', 'Select_priv'];
+    my $res = main::get_password_column_name();
+    is($res, 'authentication_string', 'Detected authentication_string');
+};
+
+subtest 'Detection Logic - MariaDB Mixed (both exist)' => sub {
+    $mocked_columns = ['Host', 'User', 'Password', 'authentication_string', 'Select_priv'];
+    my $res = main::get_password_column_name();
+    is($res, "IF(plugin='mysql_native_password', authentication_string, Password)", 'Detected both and used IF(...)');
+};
+
+subtest 'Detection Logic - None exist' => sub {
+    $mocked_columns = ['Host', 'User', 'Select_priv'];
+    my $res = main::get_password_column_name();
+    is($res, '', 'Returned empty string when none exist');
+};
+
+done_testing();

tests/test_issue_875.t

@@ -43,7 +43,13 @@ my $mock_login_success = 0;
 
     # Mock select_one and select_array to avoid DB connection
     *main::select_one = sub { return 0; };
-    *main::select_array = sub { return (); };
+    *main::select_array = sub {
+        my ($sql) = @_;
+        if ($sql =~ /FROM information_schema\.COLUMNS WHERE TABLE_SCHEMA='mysql' AND TABLE_NAME='user'/) {
+            return ('Host', 'User', 'authentication_string');
+        }
+        return ();
+    };
 }
 
 sub has_output {