Re: [PATCH] Log details for client certificate failures - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PATCH] Log details for client certificate failures
Date
Msg-id CAAWbhmiVZgfAUc=BuahotfHokWuJXLD6KQs8gYVvp_twFgQ-xg@mail.gmail.com
Whole thread Raw
In response to Re: [PATCH] Log details for client certificate failures  (Andres Freund <andres@anarazel.de>)
Responses Re: [PATCH] Log details for client certificate failures
List pgsql-hackers
On Tue, Jul 19, 2022 at 10:09 AM Andres Freund <andres@anarazel.de> wrote:
> On 2022-07-19 12:39:43 -0400, Tom Lane wrote:
> > Having said that, I struggle to see why we are panicking about badly
> > encoded log data from this source while blithely ignoring the problems
> > posed by non-ASCII role names, database names, and tablespace names.
>
> I think we should fix these as well. I'm not as concerned about post-auth
> encoding issues (i.e. tablespace name) as about pre-auth data (role name,
> database name) - obviously being allowed to log in already is a pretty good
> filter...

v2 adds escaping to pg_clean_ascii(). My original attempt used
StringInfo allocation, but that didn't play well with guc_malloc(), so
I switched to a two-pass API where the caller allocates. Let me know
if I'm missing something obvious; this way is more verbose than I'd
like...

Thanks,
--Jacob

Attachment

pgsql-hackers by date:

Previous
From: Nathan Bossart
Date:
Subject: Re: pg_parameter_aclcheck() and trusted extensions
Next
From: Andres Freund
Date:
Subject: Re: [PATCH] Log details for client certificate failures