Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wVI4s-001qzT-2O
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 05 Jun 2026 00:06:22 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wVI4r-009PgW-1o
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 05 Jun 2026 00:06:21 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1wVI4r-009PgN-10
	for pgsql-bugs@lists.postgresql.org;
	Fri, 05 Jun 2026 00:06:21 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1wVI4o-000000019PO-3Vu3
	for pgsql-bugs@lists.postgresql.org;
	Fri, 05 Jun 2026 00:06:20 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.18.1/8.18.1) with ESMTP id 65506G2k3539887;
	Thu, 4 Jun 2026 20:06:16 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Amjad Shahzad <amjadshahzad2000@gmail.com>
cc: pgsql-bugs@lists.postgresql.org
Subject: Re: BUG #19510: refint.c: SQL injection via unquoted identifier
 arguments in check_primary_key and check_foreign_key
In-reply-to: 
 <CADHzGZQ9qM-JrTN+mBRHapDYVKymPV=E39nV5aB_N+sSTR=35A@mail.gmail.com>
References: <19510-953c48eaf669350b@postgresql.org>
 <CADHzGZQ9qM-JrTN+mBRHapDYVKymPV=E39nV5aB_N+sSTR=35A@mail.gmail.com>
Comments: In-reply-to Amjad Shahzad <amjadshahzad2000@gmail.com>
	message dated "Fri, 05 Jun 2026 04:50:52 +0500"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3539885.1780617976.1@sss.pgh.pa.us>
Date: Thu, 04 Jun 2026 20:06:16 -0400
Message-ID: <3539886.1780617976@sss.pgh.pa.us>
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: 
 <https://www.postgresql.org/message-id/3539886.1780617976%40sss.pgh.pa.us>
Precedence: bulk

Amjad Shahzad <amjadshahzad2000@gmail.com> writes:
> Patch attached for the issue reported above.

I don't think we can just blindly "quote_identifier" all these
strings.  As an example, suppose somebody has set the relname
argument of a trigger to 'myschema.mytable'.  Their code works
fine today, and is perfectly secure, and your patch would break it.
Mixed-case identifiers are another trouble spot where quoting
could change the meaning of valid code.

The pgsql-security team already discussed these issues while preparing
the recent CVEs in this area, and concluded that the only workable
path forward is to add documentation explaining that these arguments
are handled as fragments of SQL query text.  So any required quoting
is up to the calling application.  Fortunately, trigger arguments are
not the sort of thing that's likely to be taken blindly from untrusted
input.

			regards, tom lane