From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Forbid use of LF and CR characters in database and role names |
Date: | 2016-09-02 06:04:31 |
Message-ID: | CAB7nPqS2-5AC=a-OXEQuPNYfiZWvJ_axv7GWfEouW+52QG82LA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Sep 2, 2016 at 2:44 AM, Peter Eisentraut
<peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> On 8/11/16 9:12 PM, Michael Paquier wrote:
>> Note that pg_dump[all] and pg_upgrade already have safeguards against
>> those things per the same routines putting quotes for execution as
>> commands into psql and shell. So attached is a patch to implement this
>> restriction in the backend,
>
> How about some documentation? I think the CREATE ROLE and CREATE
> DATABASE man pages might be suitable places.
Sure. What do you think about that?
+ <para>
+ Database names cannot include <literal>LF</> or <literal>CR</> characters
+ as those could be at the origin of security breaches, particularly on
+ Windows where the command shell is unusable with arguments containing
+ such characters.
+ </para>
--
Michael
Attachment | Content-Type | Size |
---|---|---|
forbid-cr-lf-v3.patch | text/x-diff | 4.6 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Amit Langote | 2016-09-02 06:08:18 | Re: Declarative partitioning - another take |
Previous Message | Heikki Linnakangas | 2016-09-02 05:43:27 | Re: [Patch] RBTree iteration interface improvement |