From: | David Fetter <david(at)fetter(dot)org> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Chapman Flack <chap(at)anastigmatix(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: idea: custom log_line_prefix components besides application_name |
Date: | 2017-05-09 19:15:51 |
Message-ID: | 20170509191551.GA14082@fetter.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, May 09, 2017 at 12:48:01PM -0400, Tom Lane wrote:
> David Fetter <david(at)fetter(dot)org> writes:
> > On Fri, May 05, 2017 at 02:20:26PM -0400, Robert Haas wrote:
> >> On Thu, May 4, 2017 at 10:59 AM, Chapman Flack <chap(at)anastigmatix(dot)net> wrote:
> >>> invalid input syntax for integer: "21' && 1=2)) Uni/**/ON
> >>> SEl/**/eCT 0x646665743166657274,0x646665743266657274,
> >>> 0x646665743366657274 -- "
>
> >> Now that is choice. I wonder what specific database system that's
> >> targeting...
>
> > It could well be targeting some class of pipeline to the database,
> > too, for example one that removes comments and/or un-escapes.
>
> Yeah. It's a bit hard to see a database's parser treating "Uni/**/ON"
> as UNION, but if some stack someplace had a keyword check ahead of
> a comment-stripping step, maybe that could do something useful.
Right.
> > It occurs to me that psql's habit of stripping out everything on a
> > line that follows a double dash might be vulnerable in this way, but
> > I wouldn't see such vulnerabilities as super easy to exploit, as psql
> > isn't usually exposed directly to input from the internet.
>
> I don't think that's a problem: while psql will remove "--" and everything
> following it until newline, it won't remove the newline. So there's still
> a token boundary there. If we tried to strip /*...*/ comments we'd have
> to be more careful.
We may still need to be careful.
davidfetter(at)davidfetter=# SELECT 'foo'-- stuff goes here
'bar';
?column?
----------
foobar
(1 row)
> As far as the actual thread topic goes, I tend to agree with
> Robert's doubt that there's enough utility or consensus for this.
I'm pretty sure we're going to need a logger with more structure than
our default, especially as those logs get machine-parsed, and more
importantly, machine-acted-upon.
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2017-05-09 19:22:54 | Re: CTE inlining |
Previous Message | Peter Eisentraut | 2017-05-09 19:15:41 | Re: CTE inlining |