On Thu, May 26, 2022 at 04:47:46PM +0900, Kyotaro Horiguchi wrote:
> FWIW, the "fancy" here causes me to think about something likely to
> cause syntax breakage of the query to be sent.
>
> createuser -a 'user"1' -a 'user"2' 'user"3'
> createuser -v "2023-1-1'; DROP TABLE public.x; select '" hoge
That would be mostly using spaces here, to make sure that quoting is
correctly applied.
> BUT, thses should be prevented by the functions enumerated above. So,
> I don't think we need them.
Mostly. For example, the test for --valid-until can use a timestamp
with spaces to validate the use of appendStringLiteralConn(). A
second thing is that --member was checked, but not --admin, so I have
renamed regress_user2 to "regress user2" for that to apply a maximum
of coverage, and applied the patch.
One thing that I found annoying is that this made the list of options
of createuser much harder to follow. That's not something caused by
this patch as many options have accumulated across the years and there
is a kind pattern where the connection options were listed first, but
I have cleaned up that while on it. A second area where this could be
done is createdb, as it could be easily expanded if the backend query
gains support for more stuff, but that can happen when it makes more
sense.
--
Michael