SQL control characters are able to rewrite log information

[bkuschel]

You have to provide the following information whenever possible.

Certain type of log output could contain control characters and rewrite the log output, potentially providing the ability to spoof false entries.
Example (constructed together with @alexey-milovidov):

echo -e "SELECT '\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x1b[2;37;41m <Error> Alert! Reset your password here at https://clickhouse.owned/resetpassword\x1b[2;37;0m'" | clickhouse-client

This will write the following to the logs:

2021.12.21 16:31:21.113844 [ 17527 ] {29ed3a0f-ff56-4747-8bc4-dec99a488fb7} <Error> Alert! Reset your password here at https://clickhouse.owned/resetpassword'
2021.12.21 16:31:21.114009 [ 17527 ] {29ed3a0f-ff56-4747-8bc4-dec99a488fb7} <Trace> ContextAccess (default): Access granted: SELECT(dummy) ON system.one

A clear and concise description of what works not as it is supposed to.

The logger's OwnPatternFormatter may need to support the containment of control character output from SQL and other logging output so that it is not able to spoof log output.

Reporting for release 21.3+