[syslog-ng] Escape slashes etc in macro variables ($PROGRAM)

[Balazs Scheidler]

On Tue, 2012-01-03 at 09:53 -0600, Martin Holste wrote:
> Ok, but what about absolute directories?  I'm assuming that something
> as simple as setting program to /etc/passwd will not work by default,
> but is there anything for users to be aware of?

If you add anything in front of the expanded macro, then you can't
escape that, since syslog-ng will refuse to create files that contain
'../' or '/..'.

There's a new template function $(sanitize) in the 3.4 tree that can
help escape the untrusted values, otherwise it is possible to create
unwanted files/directories under a tree.

-- 
Bazsi