Home > mailing lists

Re: Forbid use of LF and CR characters in database and role names - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Re: Forbid use of LF and CR characters in database and role names
Date	September 2, 2016 09:04:41
Msg-id	CAB7nPqS2-5AC=a-OXEQuPNYfiZWvJ_axv7GWfEouW+52QG82LA@mail.gmail.com Whole thread Raw
In response to	Re: Forbid use of LF and CR characters in database and role names (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
List	pgsql-hackers

Tree view

On Fri, Sep 2, 2016 at 2:44 AM, Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> On 8/11/16 9:12 PM, Michael Paquier wrote:
>> Note that pg_dump[all] and pg_upgrade already have safeguards against
>> those things per the same routines putting quotes for execution as
>> commands into psql and shell. So attached is a patch to implement this
>> restriction in the backend,
>
> How about some documentation?  I think the CREATE ROLE and CREATE
> DATABASE man pages might be suitable places.

Sure. What do you think about that?
+  <para>
+    Database names cannot include <literal>LF</> or <literal>CR</> characters
+    as those could be at the origin of security breaches, particularly on
+    Windows where the command shell is unusable with arguments containing
+    such characters.
+   </para>
--
Michael

Attachment

forbid-cr-lf-v3.patch

pgsql-hackers by date:

From: Heikki Linnakangas
Date: 02 September 2016, 08:43:33
Subject: Re: [Patch] RBTree iteration interface improvement

From: Amit Langote
Date: 02 September 2016, 09:08:38
Subject: Re: Declarative partitioning - another take

Re: Forbid use of LF and CR characters in database and role names - Mailing list pgsql-hackers

Attachment

Previous

Next