On Mon, Nov 10, 2003 at 01:03:54PM +0100, Jos Vos wrote:
On Mon, Nov 10, 2003 at 10:08:20AM +0100, Balazs Scheidler wrote:
this can be controlled by template_escape()
destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); };
Great.
But can't the default better be "no" i.s.o. "yes"?
I think this option only applies to template(), so when you are not using templates you will get the unescaped behaviour. Setting the default for 'no' in templates is a security issue when sending the template output to a database server (fairly common setup), imagine an SQL query like: INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb'); if the quotation mark is not protected by a backslash, the DROP DATABASE command will be executed. I think this scenario is less visible to a normal user, at least it is more difficult to notice this possibility. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1