[syslog-ng]Feature Request

Chad C. Walstrom chewie@wookimus.net
Wed, 28 Mar 2001 12:04:25 -0600


--zGQnqpIoxlsbsOfg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Chad C. Walstrom wrote:
>     template("INSERT INTO mytable ( host, facility, priority, level,
>     tag, date, time, program, msg) VALUES( '$HOST', '$FACILITY',
>     '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY',
>     '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG');\n"));           =20

Mordechai T. Abzug wrote:
> NB: from a security perspective, this may not be a good idea.
> What if $MSG is created by a hostile host and includes a single
> quote followed by some SQL statement?  This is the standard "mixed
> code + externally supplied data" problem.

It looks like I'll have to go with raw data output, probably
pipe-delimited with the $MSG text as the last field.  I could see the
next iteration of the template() option to be an escaped version,
where you can specify what your escape character should be and which
characters it should apply to.  Something like:

    destination{ file("/tmp/blah" template( "$MSG" escape("\")
        to-escape("'\"\\") ) ); };

Nasty grammar to escape ', ", and \, but necessary if you think about
it.

Ideas, flames, suggestions?  BTW, I'm willing to code and send in
patches; I just need to figure out this funky use of scheme...

--=20
Chad Walstrom <chewie@wookimus.net>                 | a.k.a. ^chewie
http://www.wookimus.net/                            | s.k.a. gunnarr
Key fingerprint =3D B4AB D627 9CBD 687E 7A31  1950 0CC7 0B18 206C 5AFD


--zGQnqpIoxlsbsOfg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6wiepDMcLGCBsWv0RArEgAJwLbFfneSSovxdHXdvod0vKk8rkugCfZ2Et
VoJRqNLuSlODF7wj98Hl/4Y=
=eHy9
-----END PGP SIGNATURE-----

--zGQnqpIoxlsbsOfg--