Re: Common function for percent placeholder replacement

On Wed, Dec 14, 2022 at 2:31 AM Peter Eisentraut
<peter.eisentraut@enterprisedb.com> wrote:
> There are a number of places where a shell command is constructed with
> percent-placeholders (like %x).  First, it's obviously cumbersome to
> have to open-code this several times.  Second, each of those pieces of
> code silently encodes some edge case behavior, such as what to do with
> unrecognized placeholders.  (I remember when I last did one of these, I
> stared very hard at the existing code instances to figure out what they
> would do.)  We now also have a newer instance in basebackup_to_shell.c
> that has different behavior in such cases.  (Maybe it's better, but it
> would be good to be explicit and consistent about this.)

Well, OK, I'll tentatively cast a vote in favor of adopting
basebackup_to_shell's approach elsewhere. Or to put that in plain
English: I think that if the input appears to be malformed, it's
better to throw an error than to guess what the user meant. In the
case of basebackup_to_shell there are potentially security
ramifications to the setting involved so it seemed like a bad idea to
take a laissez faire approach. But also, just in general, if somebody
supplies an ssl_passphrase_command or archive_command with %<something
unexpected>, I don't really see why we should treat that differently
than trying to start the server with work_mem=banana.

-- 
Robert Haas
EDB: http://www.enterprisedb.com