Backslash-escaped quotes in message strings
Hi, When a single (') or double (") quote appears in a syslog message, this quote gets escaped with a backslash by syslog-ng, which results in pretty ugly output, different from what the standard Linux sysklogd does (this doesn't change the message). Can this be considered a bug (or is it a feature)? Thanks, -- -- Jos Vos <jos@xos.nl> -- X/OS Experts in Open Systems BV | Phone: +31 20 6938364 -- Amsterdam, The Netherlands | Fax: +31 20 6948204
On Sun, Nov 09, 2003 at 03:53:50PM +0100, Jos Vos wrote:
Hi,
When a single (') or double (") quote appears in a syslog message, this quote gets escaped with a backslash by syslog-ng, which results in pretty ugly output, different from what the standard Linux sysklogd does (this doesn't change the message).
Can this be considered a bug (or is it a feature)?
this can be controlled by template_escape() destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); }; -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Mon, Nov 10, 2003 at 10:08:20AM +0100, Balazs Scheidler wrote:
this can be controlled by template_escape()
destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); };
Great. But can't the default better be "no" i.s.o. "yes"? -- -- Jos Vos <jos@xos.nl> -- X/OS Experts in Open Systems BV | Phone: +31 20 6938364 -- Amsterdam, The Netherlands | Fax: +31 20 6948204
On Mon, Nov 10, 2003 at 01:03:54PM +0100, Jos Vos wrote:
On Mon, Nov 10, 2003 at 10:08:20AM +0100, Balazs Scheidler wrote:
this can be controlled by template_escape()
destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); };
Great.
But can't the default better be "no" i.s.o. "yes"?
I think this option only applies to template(), so when you are not using templates you will get the unescaped behaviour. Setting the default for 'no' in templates is a security issue when sending the template output to a database server (fairly common setup), imagine an SQL query like: INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb'); if the quotation mark is not protected by a backslash, the DROP DATABASE command will be executed. I think this scenario is less visible to a normal user, at least it is more difficult to notice this possibility. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
Setting the default for 'no' in templates is a security issue when sending the template output to a database server (fairly common setup), imagine an SQL query like:
INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
if the quotation mark is not protected by a backslash, the DROP DATABASE command will be executed. I think this scenario is less visible to a normal user, at least it is more difficult to notice this possibility.
The proper quoting depends on the database, however. For example, Oracle doesn't recognize a backslash as quoting character: SQL> insert into foo values('foo\'bar'); ERROR: ORA-01756: quoted string not properly terminated you have to double the single quotes: SQL> insert into foo values('foo''bar'); 1 row created. I think this is also ANSI SQL, the backslash is a mysql extension. hp -- _ | Peter J. Holzer | We have failed our own creation and given |_|_) | Sysadmin WSR | birth something truly awful. We're just too | | | hjp@hjp.at | busy cooing over the pram to notice. __/ | http://www.hjp.at/ | -- http://www.internetisshit.org
On Tue, Nov 11, 2003 at 10:55:16AM +0100, Peter J. Holzer wrote:
On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
Setting the default for 'no' in templates is a security issue when sending the template output to a database server (fairly common setup), imagine an SQL query like:
INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
if the quotation mark is not protected by a backslash, the DROP DATABASE command will be executed. I think this scenario is less visible to a normal user, at least it is more difficult to notice this possibility.
The proper quoting depends on the database, however. For example, Oracle doesn't recognize a backslash as quoting character:
SQL> insert into foo values('foo\'bar'); ERROR: ORA-01756: quoted string not properly terminated
you have to double the single quotes:
SQL> insert into foo values('foo''bar');
1 row created.
I think this is also ANSI SQL, the backslash is a mysql extension.
thanks for the info, I've added a bug ticket to our bugzilla, this will be added in the future. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Jos Vos
-
Peter J. Holzer