Re: syntax error causes crafted data to be executed in shell

Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Tom, would you show an example of the change in behavior? I didn't
> > understand the details.
>
> In CVS tip:
>
> regression=# \N `touch wrong1` \i `touch wrong2`
> Invalid command \N. Try \? for help.
> : No such file or directory
> regression=#
>
> Both wrong1 and wrong2 are created.  Thomer originally asserted that
> wrong1 shouldn't have been created, ie, we shouldn't have tried to
> evaluate the backticked "argument" to \N.  I further suggest that it's
> not a good idea to even try to process the \i command.  I'd prefer to
> see something like
>
> regression=# \N `touch wrong1` \i `touch wrong2`
> Invalid command \N. Try \? for help.
> Ignoring junk "`touch wrong1` \i `touch wrong2`"
> regression=#

So if a backslash command fails we discard the rest of the line?  I
guess.

How did user data ever get to psql in this way?

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073