> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Heinbockel, Bill > Sent: Wednesday, November 03, 2010 6:49 PM > To: rsyslog-users > Subject: Re: [rsyslog] Feedback Request: NULs in strings? > > While it is against the specification, how do you handle the case were > an invalid character is included in the name? This is an issue where > most programs have issues; they assume that the message will according > to the specification. The approach of what to do if an illegal > character is encounter should be standardized as well... (though this > applies more generally to "what do you do if you receive an invalid > name in structured data) > > Off the top of my head, you have only 1 of 3 choices: > (1) strip the offending characters > (2) strip the whole name=value pair > (3) drop the entire message
You are absolutely right, with a special choice (4) drop the structured data element in which the invalid field exists But that's only an additional option because we have this additional layer ;) In RFC5424, we left this somewhat open, because some users insist on seeing even malformed data (if you think about it, there is some logic in this, otherwise you may have another attack factor). The overall spirit of RFC5424 is to either drop things that are malformed, change them into some safe encoding for local storage (like NUL -> "#00" -or so- for further processing) but keep them untouched when forwarding (because the next receiver may make sense of them). All of this is very debatable, and indeed we had very lengthy debates in the syslog wg ;) Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
