On Thu, 21 Sept 2023 at 16:18, David Rowley <dgrowle...@gmail.com> wrote: > Thanks for the report and the patch. I agree this has been overlooked. > > I also wonder if we should be escaping the buffer-usage-limit string > sent in the comment. It seems quite an unlikely attack vector, as the > user would have command line access and could likely just use psql > anyway, but I had thought about something along the lines of: > > $ vacuumdb --buffer-usage-limit "1MB'); drop database postgres;--" postgres > vacuumdb: vacuuming database "postgres" > vacuumdb: error: processing of database "postgres" failed: ERROR: > VACUUM cannot run inside a transaction block > > seems that won't work, due to sending multiple commands at once, but I > think we should fix it anyway.
I've pushed your patch plus some additional code to escape the text specified in --buffer-usage-limit before passing it to the server in commit 5cfba1ad6 Thanks again for the report. David
