Skip to content

Fix MariaDB 11.4+ warnings with --no-defaults flag #297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Fix MariaDB 11.4+ warnings with --no-defaults flag #297

Copilot wants to merge 8 commits into from
+14 −8

Conversation

Copy link
Contributor

Copilot AI commented Feb 1, 2026
edited
Loading

MariaDB 11.4+ emits SSL verification warnings when MYSQL_PWD is used with --no-defaults, treating the environment variable as "no password provided" for SSL purposes.

Changes

Added --ssl-verify-server-cert flag conditionally only for MariaDB (not MySQL) to all MySQL/mysqldump commands using --no-defaults in src/Context/FeatureContext.php:

  • create_db() - CREATE DATABASE command
  • test_connection() - connection test query
  • drop_db() - DROP DATABASE command
  • install_wp() - mysql source and mysqldump commands

Implementation

The database type is now auto-detected using Utils\get_db_type() when not explicitly set via the WP_CLI_TEST_DBTYPE environment variable:

if ( getenv( 'WP_CLI_TEST_DBTYPE' ) ) {
    $this->variables['DB_TYPE'] = getenv( 'WP_CLI_TEST_DBTYPE' );
} else {
    // Auto-detect database type if not explicitly set
    $this->variables['DB_TYPE'] = Utils\get_db_type();
}

Created a helper method is_mariadb() to detect MariaDB installations by checking the database type:

private static function is_mariadb() {
    return 'mariadb' === self::$db_type;
}

The flag is then added conditionally:

$ssl_flag = self::is_mariadb() ? ' --ssl-verify-server-cert' : '';
self::run_sql( self::$mysql_binary . ' --no-defaults' . $ssl_flag, [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

Before

self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

After

// MariaDB
self::run_sql( self::$mysql_binary . ' --no-defaults --ssl-verify-server-cert', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

// MySQL (unchanged)
self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

This suppresses the warning for MariaDB without changing MySQL behavior. The detection uses Utils\get_db_type() which checks the binary version output for the 'MariaDB' string, making it reliable for both standard and custom installations.

Original prompt

This section details on the original issue you should resolve

<issue_title>Using MYSQL_PWD causes warnings in recent versions of MariaDB</issue_title>
<issue_description>Background: We remove the password from any mysql commands and store it in the MYSQL_PWD env var:

https://github.com/wp-cli/wp-cli/blob/aeae8711ad62327b943f2fb9d1ed8770dd01b4d6/php/utils.php#L596-L599

This practice used to be encouraged years ago with the idea being that if you send the password on the command line anybody can see it in the output of ps / top / etc...

The problem is, you can also see env vars in these tools as well (ps aux e for example), so you can't really hide the password that way either. On modern systems it is easy and common to make it so users just can't see other users processes, which is the more secure method (see hidepid)

MariaDB specifically discourages using MYSQL_PWD:

https://mariadb.com/kb/en/mariadb-environment-variables/

Default password when connecting to mysqld. It is strongly recommended to use a more secure method of sending the password to the server.

And as of this commit from last year: MariaDB/server@853bdf5

It now displays a warning when the following conditions are true:

* --ssl-verify-server-cert was not enabled explicitly, and
* CA was not specified, and
* fingerprint was not specified, and
* protocol is TCP, and
* no password was provided

These conditions are true for wp-cli, because we use MYSQL_PWD which MariaDB considers to be no password was provided (here).

This is normally fixable by adding this to the config:

[client-mariadb]
ssl-verify-server-cert

But it doesn't remove the warnings in our test environment because we use --no-defaults in several places, which tells MariaDB to ignore the config file:

wp-cli-tests/src/Context/FeatureContext.php

Lines 994 to 1004 in c388578

$dbname = self::$db_settings['dbname'];
self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );
}
public function drop_db() {
if ( 'sqlite' === self::$db_type ) {
return;
}
$dbname = self::$db_settings['dbname'];
self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "DROP DATABASE IF EXISTS $dbname" ] );
}

Additionally, our tests use that as well: https://github.com/search?q=repo%3Awp-cli%2Fdb-command%20--no-defaults&type=code

So our CI tests for MariaDB don't work because many SQL commands emit the warning:

WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.

Probably the correct solution overall is to not use MYSQL_PWD as it is discouraged. Alternatives would possibly be manually adding --disable-ssl-verify-server-cert (or --ssl-verify-server-cert) to all of these commands. I believe the issue isn't with the option itself, but when the option is not explicitly stated AND there is no password sent as part of the command.

related slack discussion</issue_description>

Comments on the Issue (you are @copilot in this section)

@mrsdizzie Steps to test and reproduce this locally: ``` docker run --name mariadb-test \ -e MARIADB_ROOT_PASSWORD=root \ -e MARIADB_USER=wp_cli_test \ -e MARIADB_PASSWORD=password1 \ -e MARIADB_DATABASE=wp_cli_test \ -d mariadb:11.4

docker exec -it mariadb-test bash

Using password directly works with no warning

root@154e63c58cd5:/# mariadb -u wp_cli_test -p'password1' -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Using MYSQL_PWD works but causes warning

root@154e63c58cd5:/# export MYSQL_PWD=password1
root@154e63c58cd5:/# mariadb -uwp_cli_test -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Edit /etc/mysql/my.cnf and add:

[client-mariadb]

ssl-verify-server-cert

Now works without warning

root@154e63c58cd5:/# mariadb -u wp_cli_test -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Using --no-defaults ignores the config file and warning is back

root@154e63c58cd5:/# mariadb --no-defaults -u wp_cli_test -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Adding --ssl-verify-server-cert directly to command removes warning:

root@154e63...

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@swissspidy
Add --ssl-verify-server-cert flag to MySQL commands with --no-defaults
2230ea0 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix warnings caused by MYSQL_PWD in MariaDB Fix MariaDB 11.4+ warnings with --no-defaults flag Feb 1, 2026
Copilot AI requested a review from swissspidy February 1, 2026 17:49
@codecov
Copy link

codecov bot commented Feb 1, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 13 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/Context/FeatureContext.php 0.00% 13 Missing ⚠️

📢 Thoughts on this report? Let us know!

@swissspidy

This comment was marked as resolved.

Sign in to view
@swissspidy
Add SSL flag only for MariaDB, not MySQL
30a9efa 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

This comment was marked as resolved.

Sign in to view
Copilot AI and others added 2 commits February 2, 2026 02:00
@swissspidy
Extract MariaDB detection into helper method with basename check
aef1158 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
@swissspidy
Improve documentation for is_mariadb() helper method
aa5f61b 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
@swissspidy

This comment was marked as resolved.

Sign in to view
@swissspidy
Use db_type variable instead of binary path to detect MariaDB
3be0a6e 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

This comment was marked as resolved.

Sign in to view
@swissspidy swissspidy marked this pull request as ready for review February 3, 2026 01:34
@swissspidy swissspidy requested a review from a team as a code owner February 3, 2026 01:34
Copilot AI review requested due to automatic review settings February 3, 2026 01:34

This comment was marked as resolved.

Sign in to view

@swissspidy swissspidy added this to the 5.0.9 milestone Feb 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@swissspidy swissspidy Awaiting requested review from swissspidy

At least 1 approving review is required to merge this pull request.

Assignees

@swissspidy swissspidy

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

5.0.9

Development

Successfully merging this pull request may close these issues.

Using MYSQL_PWD causes warnings in recent versions of MariaDB

2 participants

@swissspidy