Skip to content

Fix passphrase quoting in decrypt_remote_file_to_string for Windows remotes#69398

Open
gingeekrishna wants to merge 2 commits into
apache:mainfrom
gingeekrishna:fix/69396-teradata-windows-passphrase-quoting
Open

Fix passphrase quoting in decrypt_remote_file_to_string for Windows remotes#69398
gingeekrishna wants to merge 2 commits into
apache:mainfrom
gingeekrishna:fix/69396-teradata-windows-passphrase-quoting

Conversation

@gingeekrishna

Copy link
Copy Markdown

Motivation

Closes #69396

decrypt_remote_file_to_string in encryption_utils.py calls shell_quote_single() unconditionally. Single-quoting is Unix shell syntax and does not work on Windows CMD/PowerShell, so any call targeting a Windows remote host produced a malformed openssl command.

The issue author notes: "[Note that the decrypt_remote_file function in tpt_util.py does cater for Windows.]" — that function already handles this correctly via get_remote_os().

Changes

Apply the same OS-detection pattern already used in tpt_util.py:decrypt_remote_file:

  • Detect the remote OS via get_remote_os(ssh_client)
  • Windows: wrap password in double quotes, escape embedded " as ""
  • Unix/Linux: keep existing shell_quote_single() behaviour (no functional change)
# Before (Unix only)
quoted_password = shell_quote_single(password)

# After (OS-aware)
remote_os = get_remote_os(ssh_client)
if remote_os == "windows":
    quoted_password = '"' + password.replace('"', '""') + '"'
else:
    quoted_password = shell_quote_single(password)

Tests

  • Updated test_decrypt_remote_file_to_string to mock get_remote_os returning "unix" (no behaviour change for Unix path)
  • Added test_decrypt_remote_file_to_string_windows to assert double-quote escaping is used on Windows remotes, including embedded " characters in the password

…emotes

Single-quoting (Unix shell syntax) does not work on Windows CMD/PowerShell.
decrypt_remote_file_to_string used shell_quote_single unconditionally,
so any call targeting a Windows remote host produced a malformed openssl
command and failed to decrypt.

The sibling function decrypt_remote_file in tpt_util.py already handles
this correctly by detecting the remote OS via get_remote_os() and using
double-quote escaping for Windows. Apply the same pattern here:
- Windows: wrap password in double quotes, escape embedded " as ""
- Unix/Linux: keep existing single-quote escaping via shell_quote_single

Fixes: apache#69396
Copilot AI review requested due to automatic review settings July 5, 2026 04:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Quoting of passphrase won't work for windows

2 participants