On Tue, 11 Mar 2025 at 20:12, Álvaro Herrera <
alvherre@alvh.no-ip.org> wrote:
>
> On 2025-Mar-11, Mahendra Singh Thalor wrote:
>
> > On Wed, 5 Mar 2025 at 20:42, Álvaro Herrera <
alvherre@alvh.no-ip.org> wrote:
>
> > > Okay, we should probably fix that, but I think the new map.dat file your
> > > patch adds is going to make the problem worse, because it doesn't look
> > > like you handled that case in any particular way that would make it not
> > > fail.
> >
> > As Jian also pointed out, we should not allow \n\r in dbnames. I am
> > keeping dbanames as single line names only.
>
> Ehm, did you get consensus on adding such a restriction?
>
Hi Alvaro,
In map.dat file, I tried to fix this issue by adding number of characters in dbname but as per code comments, as of now, we are not supporting \n\r in dbnames so i removed handling.
I will do some more study to fix this issue.
/*
* Append the given string to the shell command being built in the buffer,
* with shell-style quoting as needed to create exactly one argument.
*
* Forbid LF or CR characters, which have scant practical use beyond designing
* security breaches. The Windows command shell is unusable as a conduit for
* arguments containing LF or CR characters. A future major release should
* reject those characters in CREATE ROLE and CREATE DATABASE, because use
* there eventually leads to errors here.
*
* appendShellString() simply prints an error and dies if LF or CR appears.
* appendShellStringNoError() omits those characters from the result, and
* returns false if there were any.
*/
void
appendShellString(PQExpBuffer buf, const char *str)
Sorry, in the v22 patches, I missed to use the "git add connectdb.c" file. (Thanks Andrew for reporting this offline)
Here, I am attaching updated patches for review and testing.
