Re: Patch: initdb: "'" for QUOTE_PATH (non-windows)
| От | Ryan Murphy |
|---|---|
| Тема | Re: Patch: initdb: "'" for QUOTE_PATH (non-windows) |
| Дата | |
| Msg-id | CAHeEsBeb_rXt3z5KyNbT1BEihjX28EFrCXA48MDDSPExOZxqhw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Patch: initdb: "'" for QUOTE_PATH (non-windows) (Andres Freund <andres@anarazel.de>) |
| Ответы |
Re: Patch: initdb: "'" for QUOTE_PATH (non-windows)
|
| Список | pgsql-hackers |
> I think that's actually a good thing to forbid.
I think I agree Andres, there are already comments in the appendShellString function to this effect - they say that CR/LF chars in a file name are mostly used for malicious hacking attempts anyways - I know I've hardly ever needed a newline in a file name.
Did you see anything else in my code that you have recommendations about? I made sure to free the PQExpBufferStr vars that I allocated.
Best,I think I agree Andres, there are already comments in the appendShellString function to this effect - they say that CR/LF chars in a file name are mostly used for malicious hacking attempts anyways - I know I've hardly ever needed a newline in a file name.
Did you see anything else in my code that you have recommendations about? I made sure to free the PQExpBufferStr vars that I allocated.
On Wed, Aug 17, 2016 at 7:41 PM, Andres Freund <andres@anarazel.de> wrote:
On 2016-08-18 09:14:44 +0900, Michael Paquier wrote:
> On Thu, Aug 18, 2016 at 12:21 AM, Ryan Murphy <ryanfmurphy@gmail.com> wrote:
> > I have created a better patch (attached) that correctly escapes the shell
> > arguments using PQExpBufferStr and the appendShellString function, as per
> > Michael and Andres' suggestions.
> >
> > Further suggestions welcome of course.
>
> As far as I know, it is perfectly possible to have LF/CR in a path
> name (that's bad practice btw...), and your patch would make initdb
> fail in such cases. Do we want to authorize that?
I think that's actually a good thing to forbid.
В списке pgsql-hackers по дате отправления: