[syslog-ng]Backslash-escaped quotes in message strings

Balazs Scheidler syslog-ng@lists.balabit.hu
Mon, 10 Nov 2003 16:15:44 +0100

On Mon, Nov 10, 2003 at 01:03:54PM +0100, Jos Vos wrote:
> On Mon, Nov 10, 2003 at 10:08:20AM +0100, Balazs Scheidler wrote:
> > this can be controlled by template_escape()
> > 
> > destination d_file { file("/var/log/messages" template("$MSG\n") template_escape(no)); };
> Great.
> But can't the default better be "no" i.s.o. "yes"?

I think this option only applies to template(), so when you are not using
templates you will get the unescaped behaviour.

Setting the default for 'no' in templates is a security issue when sending
the template output to a database server (fairly common setup), imagine
an SQL query like:

INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');

if the quotation mark is not protected by a backslash, the DROP DATABASE
command will be executed. I think this scenario is less visible to a normal
user, at least it is more difficult to notice this possibility.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1