Thread: Forbid use of LF and CR characters in database and role names

Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
Hi all,

As CVE-2016-5424 has put recently in light, using LF and CR in
database and role names can lead to unexpected problems in the way
they are handled in logical backups or generated command lines. There
is as well a comment in the code mentioning a potential restriction
for that, precisely in fe_utils/string_utils.c:
+ * Forbid LF or CR characters, which have scant practical use beyond designing
+ * security breaches.  The Windows command shell is unusable as a conduit for
+ * arguments containing LF or CR characters.  A future major release should
+ * reject those characters in CREATE ROLE and CREATE DATABASE, because use
+ * there eventually leads to errors here.

Note that pg_dump[all] and pg_upgrade already have safeguards against
those things per the same routines putting quotes for execution as
commands into psql and shell. So attached is a patch to implement this
restriction in the backend, and I am adding that to the next CF for
10.0. Attached is as well a script able to trigger those errors.
Thoughts?
--
Michael

Attachment

Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Fri, Aug 12, 2016 at 10:12 AM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> Note that pg_dump[all] and pg_upgrade already have safeguards against
> those things per the same routines putting quotes for execution as
> commands into psql and shell. So attached is a patch to implement this
> restriction in the backend, and I am adding that to the next CF for
> 10.0. Attached is as well a script able to trigger those errors.
> Thoughts?

I am re-sending the patch. For a reason escaping me, it is showing up
as 'invalid/octet-stream'... (Thanks Bruce for noting that)
--
Michael

Attachment

Re: Forbid use of LF and CR characters in database and role names

From
Peter Geoghegan
Date:
<p dir="ltr">I haven't looked at the patch, but offhand I wonder if it's worth considering control characters added by
unicode,if you haven't already. <p dir="ltr">--<br /> Peter Geoghegan 

Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Tue, Aug 23, 2016 at 10:19 AM, Peter Geoghegan <pg@heroku.com> wrote:
> I haven't looked at the patch, but offhand I wonder if it's worth
> considering control characters added by unicode, if you haven't already.

There is no need to put restrictions on those I think, and they are
actually supported. Look for example at pg_upgrade/test.sh, we are
already testing them with database names :) Not BEL of course, but
that works.
-- 
Michael



Re: Forbid use of LF and CR characters in database and role names

From
Peter Geoghegan
Date:
On Mon, Aug 22, 2016 at 6:28 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> There is no need to put restrictions on those I think, and they are
> actually supported.

Bi-directional text support (i.e., the use of right-to-left control
characters) is known to have security implications, FWIW. There is an
interesting discussion of the matter here:

http://www.unicode.org/reports/tr36/#Bidirectional_Text_Spoofing

-- 
Peter Geoghegan



Re: Forbid use of LF and CR characters in database and role names

From
Tom Lane
Date:
Peter Geoghegan <pg@heroku.com> writes:
> On Mon, Aug 22, 2016 at 6:28 PM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> There is no need to put restrictions on those I think, and they are
>> actually supported.

> Bi-directional text support (i.e., the use of right-to-left control
> characters) is known to have security implications, FWIW. There is an
> interesting discussion of the matter here:

> http://www.unicode.org/reports/tr36/#Bidirectional_Text_Spoofing

The problem with implementing anything like that is that it requires
assumptions about what encoding we're dealing with, which would be
entirely not based in fact.  (The DB encoding is not a good guide
to what global names are encoded as, much less what encoding some
shell might think it's using.)
        regards, tom lane



Re: Forbid use of LF and CR characters in database and role names

From
Peter Eisentraut
Date:
On 8/11/16 9:12 PM, Michael Paquier wrote:
> Note that pg_dump[all] and pg_upgrade already have safeguards against
> those things per the same routines putting quotes for execution as
> commands into psql and shell. So attached is a patch to implement this
> restriction in the backend,

How about some documentation?  I think the CREATE ROLE and CREATE
DATABASE man pages might be suitable places.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Fri, Sep 2, 2016 at 2:44 AM, Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> On 8/11/16 9:12 PM, Michael Paquier wrote:
>> Note that pg_dump[all] and pg_upgrade already have safeguards against
>> those things per the same routines putting quotes for execution as
>> commands into psql and shell. So attached is a patch to implement this
>> restriction in the backend,
>
> How about some documentation?  I think the CREATE ROLE and CREATE
> DATABASE man pages might be suitable places.

Sure. What do you think about that?
+  <para>
+    Database names cannot include <literal>LF</> or <literal>CR</> characters
+    as those could be at the origin of security breaches, particularly on
+    Windows where the command shell is unusable with arguments containing
+    such characters.
+   </para>
--
Michael

Attachment

Re: Forbid use of LF and CR characters in database and role names

From
Peter Eisentraut
Date:
On 8/11/16 9:12 PM, Michael Paquier wrote:
> Note that pg_dump[all] and pg_upgrade already have safeguards against
> those things per the same routines putting quotes for execution as
> commands into psql and shell. So attached is a patch to implement this
> restriction in the backend, and I am adding that to the next CF for
> 10.0. Attached is as well a script able to trigger those errors.

After further review, I have my doubts about this approach.

Everything that is using appendShellString() is now going to reject LF
and CR characters, but there is no systematic way by which this is
managed, enforced, or documented.  It happens that right now most of the
affected cases are user and database names, but there are others.  For
example, you cannot anymore install PostgreSQL into a path containing
LF/CR, because initdb will fail when it composes the pg_ctl command line
to print out.  Also, initdb will fail if the data directory name
contains LF/CR, but it creates the directory nonetheless.  (Apparently,
it doesn't even clean it up.)  But for example pg_ctl and pg_basebackup
and postgres itself handle all of that just fine.  This is a slowly
growing mess.

I think the way forward here, if any, is to work on removing these
restrictions, not to keep sprinkling them around.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: Forbid use of LF and CR characters in database and role names

From
Tom Lane
Date:
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> On 8/11/16 9:12 PM, Michael Paquier wrote:
>> Note that pg_dump[all] and pg_upgrade already have safeguards against
>> those things per the same routines putting quotes for execution as
>> commands into psql and shell. So attached is a patch to implement this
>> restriction in the backend, and I am adding that to the next CF for
>> 10.0. Attached is as well a script able to trigger those errors.

> After further review, I have my doubts about this approach.

> Everything that is using appendShellString() is now going to reject LF
> and CR characters, but there is no systematic way by which this is
> managed, enforced, or documented.  It happens that right now most of the
> affected cases are user and database names, but there are others.  For
> example, you cannot anymore install PostgreSQL into a path containing
> LF/CR, because initdb will fail when it composes the pg_ctl command line
> to print out.  Also, initdb will fail if the data directory name
> contains LF/CR, but it creates the directory nonetheless.  (Apparently,
> it doesn't even clean it up.)  But for example pg_ctl and pg_basebackup
> and postgres itself handle all of that just fine.  This is a slowly
> growing mess.

> I think the way forward here, if any, is to work on removing these
> restrictions, not to keep sprinkling them around.

I think probably a better answer is to reject bad paths earlier, eg have
initdb error out before doing anything if the proposed -D path contains
CR/LF.  Given the collection of security bugs we just fixed, and the
strong likelihood that user-written scripts contain other instances of
the same type of problem, I do not think we are doing anybody any favors
if we sweat bullets to support such paths.  And I'm not even convinced
that we *can* support such paths on Windows; no one was able to find a
safe shell quoting solution there.

And yeah, the docs probably need work.
        regards, tom lane



Re: Forbid use of LF and CR characters in database and role names

From
Robert Haas
Date:
On Tue, Sep 6, 2016 at 9:43 PM, Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> On 8/11/16 9:12 PM, Michael Paquier wrote:
>> Note that pg_dump[all] and pg_upgrade already have safeguards against
>> those things per the same routines putting quotes for execution as
>> commands into psql and shell. So attached is a patch to implement this
>> restriction in the backend, and I am adding that to the next CF for
>> 10.0. Attached is as well a script able to trigger those errors.
>
> After further review, I have my doubts about this approach.
>
> Everything that is using appendShellString() is now going to reject LF
> and CR characters, but there is no systematic way by which this is
> managed, enforced, or documented.  It happens that right now most of the
> affected cases are user and database names, but there are others.  For
> example, you cannot anymore install PostgreSQL into a path containing
> LF/CR, because initdb will fail when it composes the pg_ctl command line
> to print out.  Also, initdb will fail if the data directory name
> contains LF/CR, but it creates the directory nonetheless.  (Apparently,
> it doesn't even clean it up.)  But for example pg_ctl and pg_basebackup
> and postgres itself handle all of that just fine.  This is a slowly
> growing mess.
>
> I think the way forward here, if any, is to work on removing these
> restrictions, not to keep sprinkling them around.

If we were talking about pathnames containing spaces, I would agree,
but I've never heard of a legitimate pathname containing CR or LF.  I
can't see us losing much by refusing to allow such pathnames, except
for security holes.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Wed, Sep 7, 2016 at 2:32 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I think probably a better answer is to reject bad paths earlier, eg have
> initdb error out before doing anything if the proposed -D path contains
> CR/LF.

Yes, that's a bug that we had better address. It is not nice to not
clean up PGDATA in this case.

> Given the collection of security bugs we just fixed, and the
> strong likelihood that user-written scripts contain other instances of
> the same type of problem, I do not think we are doing anybody any favors
> if we sweat bullets to support such paths.

Yep. Database and role names are the two patterns defined by the user
at SQL level that can be reused by command lines, so it still seems to
me that the patch I sent is the correct call..

> And I'm not even convinced
> that we *can* support such paths on Windows; no one was able to find a
> safe shell quoting solution there.

None has been found as far as I know, the problem gets into Windows
core with paths passed to cmd.exe which cannot handle those two
characters correctly.

> And yeah, the docs probably need work.

Patch 0001 is what I have done for the database and role names. Patch
0002 adds a routine in string_utils.c to check if a string given is
valid for shell commands or not. I added a call of that to initdb.c,
which is at least what we'd want to check because it calls directly
appendShellString. Now I am a bit reluctant to spread that
elsewhere... Users would get the message only with initdb if they see
the problem. I have added a note in the page of initdb as well, but
that does not sound enough to me, we may want to add a warning in a
more common plase. Does somebody have an idea where we could add that.

Also, in 0001 I have cleared the docs to refer to newline and carriage
return characters instead of CR and LF.
--
Michael

Attachment

Re: Forbid use of LF and CR characters in database and role names

From
Peter Eisentraut
Date:
On 9/6/16 1:42 PM, Robert Haas wrote:
> If we were talking about pathnames containing spaces, I would agree,
> but I've never heard of a legitimate pathname containing CR or LF.  I
> can't see us losing much by refusing to allow such pathnames, except
> for security holes.

The flip side of that is that if we're doing a half-way job of only
prohibiting these characters in 67% of cases, then a new generation of
tools will be written on top of that with the assumption that these
characters cannot appear.  But then those tools will be easy to break or
exploit because it's possible to sneak stuff in in creative ways.  So
we're on the road to having an endless stream of "I can sneak in a CR/LF
character in here" bugs.

The current setup is more robust:  We are prohibiting these characters
in specific locations where we know we can't handle them.  But we don't
give any guarantees about anything else.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: Forbid use of LF and CR characters in database and role names

From
Noah Misch
Date:
On Thu, Sep 08, 2016 at 12:12:49PM -0400, Peter Eisentraut wrote:
> On 9/6/16 1:42 PM, Robert Haas wrote:
> > On Tue, Sep 6, 2016 at 9:43 PM, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
> > > Everything that is using appendShellString() is now going to reject LF
> > > and CR characters, but there is no systematic way by which this is
> > > managed, enforced, or documented.

I agree, and I think that's roughly what it deserves.  Longstanding use of
MAXPGPATH is worse; we truncate silently and proceed to whatever malfunction
that entails.  We do not see complaints about it.  To make MAXPGPATH or LF/CR
better-managed would nominally improve PostgreSQL, but the value is low.

I discourage documenting LF/CR restrictions.  For the epsilon of readers who
would benefit from this knowledge, the error message suffices.  For everyone
else, it would just dilute the text.  (One could argue against other parts of
our documentation on this basis, but I'm not calling for such a study.  I'm
just saying that today's lack of documentation on this topic is optimal.)

> > > I think the way forward here, if any, is to work on removing these
> > > restrictions, not to keep sprinkling them around.
> > 
> > If we were talking about pathnames containing spaces, I would agree,
> > but I've never heard of a legitimate pathname containing CR or LF.  I
> > can't see us losing much by refusing to allow such pathnames, except
> > for security holes.

(In other words, +1 to that.)

> The flip side of that is that if we're doing a half-way job of only
> prohibiting these characters in 67% of cases, then a new generation of
> tools will be written on top of that with the assumption that these
> characters cannot appear.

There's some risk there, but it doesn't feel too likely to me.  If the current
tools generation had contemplated those characters, we'd have learned of
CVE-2016-5424 earlier.  Even so, ...

> The current setup is more robust:  We are prohibiting these characters
> in specific locations where we know we can't handle them.  But we don't
> give any guarantees about anything else.

... I'd be fine with that conclusion.



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Mon, Sep 12, 2016 at 10:01 AM, Noah Misch <noah@leadboat.com> wrote:
> I discourage documenting LF/CR restrictions.  For the epsilon of readers who
> would benefit from this knowledge, the error message suffices.  For everyone
> else, it would just dilute the text.  (One could argue against other parts of
> our documentation on this basis, but I'm not calling for such a study.  I'm
> just saying that today's lack of documentation on this topic is optimal.)

Okay.

>> > > I think the way forward here, if any, is to work on removing these
>> > > restrictions, not to keep sprinkling them around.
>> >
>> > If we were talking about pathnames containing spaces, I would agree,
>> > but I've never heard of a legitimate pathname containing CR or LF.  I
>> > can't see us losing much by refusing to allow such pathnames, except
>> > for security holes.
>
> (In other words, +1 to that.)

Yep. To be honest, I see value in preventing directly the use of
newlines and carriage returns in database and role names to avoid
users to be bitten by custom scripts, things for example written in
bash that scan manually for pg_database, pg_roles, etc. And I have
seen such things over the years. Now it is true that the safeguards in
core are proving to be enough, if only the in-core tools are used, but
that's not necessarily the case with all the things gravitating around
this community.
-- 
Michael



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Mon, Sep 12, 2016 at 11:38 AM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Mon, Sep 12, 2016 at 10:01 AM, Noah Misch <noah@leadboat.com> wrote:
>> I discourage documenting LF/CR restrictions.  For the epsilon of readers who
>> would benefit from this knowledge, the error message suffices.  For everyone
>> else, it would just dilute the text.  (One could argue against other parts of
>> our documentation on this basis, but I'm not calling for such a study.  I'm
>> just saying that today's lack of documentation on this topic is optimal.)
>
> Okay.
>
>>> > > I think the way forward here, if any, is to work on removing these
>>> > > restrictions, not to keep sprinkling them around.
>>> >
>>> > If we were talking about pathnames containing spaces, I would agree,
>>> > but I've never heard of a legitimate pathname containing CR or LF.  I
>>> > can't see us losing much by refusing to allow such pathnames, except
>>> > for security holes.
>>
>> (In other words, +1 to that.)
>
> Yep. To be honest, I see value in preventing directly the use of
> newlines and carriage returns in database and role names to avoid
> users to be bitten by custom scripts, things for example written in
> bash that scan manually for pg_database, pg_roles, etc. And I have
> seen such things over the years. Now it is true that the safeguards in
> core are proving to be enough, if only the in-core tools are used, but
> that's not necessarily the case with all the things gravitating around
> this community.

And seeing nothing happening here, I still don't know what to do with
this patch. Thoughts? If we are going to do nothing I would suggest to
just remove the comment in string_utils.c saying that such LF and CR
will be unsupported in a future release and move on.
-- 
Michael



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Sun, Oct 2, 2016 at 10:47 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> And seeing nothing happening here, I still don't know what to do with
> this patch. Thoughts? If we are going to do nothing I would suggest to
> just remove the comment in string_utils.c saying that such LF and CR
> will be unsupported in a future release and move on.

And so I am just marking this patch as returned with feedback.
-- 
Michael



Re: Forbid use of LF and CR characters in database and role names

From
Noah Misch
Date:
On Sun, Oct 02, 2016 at 10:47:04PM +0900, Michael Paquier wrote:
> On Mon, Sep 12, 2016 at 11:38 AM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
> > On Mon, Sep 12, 2016 at 10:01 AM, Noah Misch <noah@leadboat.com> wrote:
> >> I discourage documenting LF/CR restrictions.  For the epsilon of readers who
> >> would benefit from this knowledge, the error message suffices.  For everyone
> >> else, it would just dilute the text.  (One could argue against other parts of
> >> our documentation on this basis, but I'm not calling for such a study.  I'm
> >> just saying that today's lack of documentation on this topic is optimal.)
> >
> > Okay.
> >
> >>> > > I think the way forward here, if any, is to work on removing these
> >>> > > restrictions, not to keep sprinkling them around.
> >>> >
> >>> > If we were talking about pathnames containing spaces, I would agree,
> >>> > but I've never heard of a legitimate pathname containing CR or LF.  I
> >>> > can't see us losing much by refusing to allow such pathnames, except
> >>> > for security holes.
> >>
> >> (In other words, +1 to that.)
> >
> > Yep. To be honest, I see value in preventing directly the use of
> > newlines and carriage returns in database and role names to avoid
> > users to be bitten by custom scripts, things for example written in
> > bash that scan manually for pg_database, pg_roles, etc. And I have
> > seen such things over the years. Now it is true that the safeguards in
> > core are proving to be enough, if only the in-core tools are used, but
> > that's not necessarily the case with all the things gravitating around
> > this community.
> 
> And seeing nothing happening here, I still don't know what to do with
> this patch. Thoughts?

I count one person disfavoring the patch concept of rejecting these characters
early, and I count two people, plus yourself as author, favoring it.
Therefore, the patch can move forward with the proposed design.  The next
step, then, is for the patch to park in a CommitFest until someone volunteers
to review the implementation details.

nm



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Tue, Oct 11, 2016 at 11:00 AM, Noah Misch <noah@leadboat.com> wrote:
> I count one person disfavoring the patch concept of rejecting these characters
> early, and I count two people, plus yourself as author, favoring it.
> Therefore, the patch can move forward with the proposed design.  The next
> step, then, is for the patch to park in a CommitFest until someone volunteers
> to review the implementation details.

OK, thanks. I thought there were more opposition to it. The original
patches still apply so I am adding it back to the next CF:
https://commitfest.postgresql.org/11/711/
-- 
Michael



Re: Forbid use of LF and CR characters in database and role names

From
"Ideriha, Takeshi"
Date:
Hi, 
Here's a summary for what I tested  in RHEL7.0, details follow.

[Summary]
1. apply patch and make world  -> failed because </para> was mistakenly coded <para>.

2.correct this mistake and make check-world -> got 1 failed test: "'pg_dumpall with \n\r in database name'"    because
testscript cannot createdb "foo\n\rbar" 
 


Details follows:
[1. apply patch and make world>]

I tried to make world after applying patch and there seems to be one small mistake in create_role. 
===============================================================

openjade:ref/create_role.sgml:413:7:E: document type does not allow element "PARA" here; missing one of "FOOTNOTE",
"ITEMIZEDLIST","ORDEREDLIST", "VARIABLELIST", "CAUTION", "IMPORTANT", "NOTE", "TIP", "WARNING", "BLOCKQUOTE",
"INFORMALEXAMPLE"start-tag
 
openjade:ref/create_role.sgml:414:11:E: end tag for "PARA" omitted, but OMITTAG NO was specified
openjade:ref/create_role.sgml:413:2: start tag was here
openjade:ref/create_role.sgml:414:11:E: end tag for "PARA" omitted, but OMITTAG NO was specified
openjade:ref/create_role.sgml:408:2: start tag was here
make[3]: *** [HTML.index] Error 1
make[3]: *** Deleting file `HTML.index'

===============================================================

[2.correct this mistake and make check-world]
After fixing this mistake locally by correcting <para> to end tag, postgresql and documentation were successfully
made.
And also "make check" tests passed (not "make check-world").

================================================================
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index 9d6926e..ff4b6f6 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -410,7 +410,7 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac   as those could
beat the origin of security breaches, particularly on   Windows where the command shell is unusable with arguments
containing  such characters.
 
-  <para>
+  </para> </refsect1> <refsect1>
=================================================================

This failure seems actually caused by t/010_dump_connstr.pl line 65
"$node->run_log(['createdb', "foo\n\rbar"]);".

This means your patch works well.

Excerpt from log follows. 
===============================================================
#   Failed test 'pg_dumpall with \n\r in database name'
#   at /home/ideriha/postgres-master/src/bin/pg_dump/../../../src/test/perl/TestLib.pm line 230.
# Looks like you failed 1 test of 14.
t/010_dump_connstr.pl .. 

not ok 6 - pg_dumpall with \n\r in database name

Failed 1/14 subtests 

Test Summary Report
-------------------
t/010_dump_connstr.pl (Wstat: 256 Tests: 14 Failed: 1) Failed test:  6 Non-zero exit status: 1
Files=3, Tests=1822, 58 wallclock secs ( 0.20 usr  0.01 sys + 12.52 cusr  1.94 csys = 14.67 CPU)
Result: FAIL
=================================================================


Regards,
Ideriha, Takeshi
Fujitsu

Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Tue, Nov 22, 2016 at 5:55 PM, Ideriha, Takeshi
<ideriha.takeshi@jp.fujitsu.com> wrote:
> Here's a summary for what I tested  in RHEL7.0, details follow.

Thanks for the review.

> [Summary]
> 1. apply patch and make world
>   -> failed because </para> was mistakenly coded <para>.
>
> 2.correct this mistake and make check-world
>   -> got 1 failed test: "'pg_dumpall with \n\r in database name'"
>      because test script cannot createdb "foo\n\rbar"

The attached version addresses those problems. I have replaced the
test in src/bin/pg_dump/t/ by tests in src/bin/scripts/t/ to check if
the role name and database name with CR or LF fail to be created. I
have as well added a test for initdb when the data directory has an
incorrect character in 0002.
--
Michael

Attachment

Re: Forbid use of LF and CR characters in database and role names

From
"Ideriha, Takeshi"
Date:
> > [Summary]
> > 1. apply patch and make world
> >   -> failed because </para> was mistakenly coded <para>.
> >
> > 2.correct this mistake and make check-world
> >   -> got 1 failed test: "'pg_dumpall with \n\r in database name'"
> >      because test script cannot createdb "foo\n\rbar"
> 
> The attached version addresses those problems. I have replaced the test in
> src/bin/pg_dump/t/ by tests in src/bin/scripts/t/ to check if the role name
> and database name with CR or LF fail to be created. I have as well added a test
> for initdb when the data directory has an incorrect character in 0002.

Thanks for your modification.
I applied your fixed patch and new one, and confirmed the applied source passed the tests successfully. And I also
checkedmanually the error messages were emitted successfully when cr/lf are included in dbname or rolename or
data_directory.

AFAICT, this patch satisfies the concept discussed before. So I’ve switched this patch “Ready for Committer”.

Regards, 
Ideriha, Takeshi

Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Fri, Nov 25, 2016 at 4:02 PM, Ideriha, Takeshi
<ideriha.takeshi@jp.fujitsu.com> wrote:
> I applied your fixed patch and new one, and confirmed the applied source passed the tests successfully. And I also
checkedmanually the error messages were emitted successfully when cr/lf are included in dbname or rolename or
data_directory.
>
> AFAICT, this patch satisfies the concept discussed before. So I’ve switched this patch “Ready for Committer”.

Thanks for the review, Ideriha-san. (See you next week perhaps?)
--
Michael



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Fri, Nov 25, 2016 at 4:41 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Fri, Nov 25, 2016 at 4:02 PM, Ideriha, Takeshi
> <ideriha.takeshi@jp.fujitsu.com> wrote:
>> I applied your fixed patch and new one, and confirmed the applied source passed the tests successfully. And I also
checkedmanually the error messages were emitted successfully when cr/lf are included in dbname or rolename or
data_directory.
>>
>> AFAICT, this patch satisfies the concept discussed before. So I’ve switched this patch “Ready for Committer”.
>
> Thanks for the review, Ideriha-san. (See you next week perhaps?)

Patch moved to CF 2017-01.
--
Michael



Re: [HACKERS] Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Tue, Nov 29, 2016 at 1:33 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Fri, Nov 25, 2016 at 4:41 PM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> On Fri, Nov 25, 2016 at 4:02 PM, Ideriha, Takeshi
>> <ideriha.takeshi@jp.fujitsu.com> wrote:
>>> I applied your fixed patch and new one, and confirmed the applied source passed the tests successfully. And I also
checkedmanually the error messages were emitted successfully when cr/lf are included in dbname or rolename or
data_directory.
>>>
>>> AFAICT, this patch satisfies the concept discussed before. So I’ve switched this patch “Ready for Committer”.
>>
>> Thanks for the review, Ideriha-san. (See you next week perhaps?)
>
> Patch moved to CF 2017-01.

And nothing has happened since, the patch rotting a bit because of a
conflict in pg_dump's TAP tests. Attached is a rebased version.
--
Michael

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Attachment

Re: [HACKERS] Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Wed, Feb 1, 2017 at 1:31 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Tue, Nov 29, 2016 at 1:33 PM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> Patch moved to CF 2017-01.
>
> And nothing has happened since, the patch rotting a bit because of a
> conflict in pg_dump's TAP tests. Attached is a rebased version.

Moved to CF 2017-03..
-- 
Michael



Re: Forbid use of LF and CR characters in database and role names

From
Michael Paquier
Date:
On Wed, Feb 1, 2017 at 1:31 PM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Wed, Feb 1, 2017 at 1:31 PM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> On Tue, Nov 29, 2016 at 1:33 PM, Michael Paquier
>> <michael.paquier@gmail.com> wrote:
>>> Patch moved to CF 2017-01.
>>
>> And nothing has happened since, the patch rotting a bit because of a
>> conflict in pg_dump's TAP tests. Attached is a rebased version.
>
> Moved to CF 2017-03..

And nothing has happened. This is the 4th commit fest where this patch
has been presented, and no committers have showed interest. I am
marking that as rejected, moving on to other things.
-- 
Michael