Re: [PATCH] Include application_name in "connection authorized" log message
Andres Freund <andres@anarazel.de>
From: Andres Freund <andres@anarazel.de>
To: pgsql-hackers@lists.postgresql.org,Stephen Frost <sfrost@snowman.net>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,Don Seiler
<don@seiler.us>,Tom Lane <tgl@sss.pgh.pa.us>
Date: 2018-09-27T21:59:01Z
Lists: pgsql-hackers
On September 27, 2018 2:55:56 PM PDT, Stephen Frost <sfrost@snowman.net> wrote: >Greetings, > >* Andres Freund (andres@anarazel.de) wrote: >> On 2018-09-27 17:41:56 -0400, Stephen Frost wrote: >> > Of course, if I'm missing something as to why the ascii-cleaning >makes >> > sense or is necessary, I'm all ears, but I'm just not seeing it. >> >> There's many reasons. For example you can send terminal control >> characters to the server. When somebody then looks at the log, you >can >> screw with them pretty good, unless they're always careful to go >through >> less (without -r). We should be *more* not *less* careful about this >> kind of hting. > >I seriously doubt we're going to start stripping usernames down to >ASCII >for them to be displayed in the log file. So? As you say, they are much more control from the a admins of the server. I guess at some point we should have more expansive whitelisting than just ASCII, but that seems separate. Andres -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Commits
-
Add application_name to connection authorized msg
- 8bddc864000f 12.0 landed