You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You have to provide the following information whenever possible.
Certain type of log output could contain control characters and rewrite the log output, potentially providing the ability to spoof false entries.
Example (constructed together with @alexey-milovidov):
echo -e "SELECT '\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x1b[2;37;41m <Error> Alert! Reset your password here at https://clickhouse.owned/resetpassword\x1b[2;37;0m'"| clickhouse-client
This will write the following to the logs:
2021.12.21 16:31:21.113844 [ 17527 ] {29ed3a0f-ff56-4747-8bc4-dec99a488fb7} <Error> Alert! Reset your password here at https://clickhouse.owned/resetpassword'2021.12.21 16:31:21.114009 [ 17527 ] {29ed3a0f-ff56-4747-8bc4-dec99a488fb7} <Trace> ContextAccess (default): Access granted: SELECT(dummy) ON system.one
A clear and concise description of what works not as it is supposed to.
The logger's OwnPatternFormatter may need to support the containment of control character output from SQL and other logging output so that it is not able to spoof log output.
Reporting for release 21.3+
The text was updated successfully, but these errors were encountered:
Certain type of log output could contain control characters and rewrite the log output, potentially providing the ability to spoof false entries.
Example (constructed together with @alexey-milovidov):
This will write the following to the logs:
The logger's OwnPatternFormatter may need to support the containment of control character output from SQL and other logging output so that it is not able to spoof log output.
Reporting for release 21.3+
The text was updated successfully, but these errors were encountered: