On 4/21/24 17:10, Tom Lane wrote: > Tomas Vondra <tomas.von...@enterprisedb.com> writes: >> On 4/21/24 00:19, Tom Lane wrote: >>> I'm not suggesting that this is an interesting security vulnerability, >>> because if you can control the arguments to createdb it's probably >>> game over long since. But wrapping the arguments is good for >>> delivering on-point error messages. So I'd add a fmtId() call to >>> LOCALE_PROVIDER too. > >> OK, the attached 0001 patch does these three things - adds the fmtId() >> for locale_provider, make the comparison case-insensitive for strategy >> and also removes the comma from the hint. > > LGTM. >
Pushed, after tweaking the commit message a bit. >> The createdb vs. CREATE DATABASE difference made me look if we have any >> regression tests for CREATE DATABASE, and we don't. I guess it would be >> good to have some, so I added a couple, for some of the parameters, see >> 0002. But there's a problem with the locale stuff - this seems to work >> in plain "make check", but pg_upgrade creates the clusters with >> different providers etc. which changes the expected output. I'm not sure >> there's a good way to deal with this ... > > Probably not worth the trouble, really. > Agreed. regards -- Tomas Vondra EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company