public inbox for [email protected]
help / color / mirror / Atom feedFrom: Amjad Shahzad <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: BUG #19510: refint.c: SQL injection via unquoted identifier arguments in check_primary_key and check_foreign_key
Date: Fri, 5 Jun 2026 05:29:16 +0500
Message-ID: <CADHzGZTsdeo9pBVbeSTn2p3rgRdWN3ijiDU5QkyfLK6+MxihwQ@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<CADHzGZQ9qM-JrTN+mBRHapDYVKymPV=E39nV5aB_N+sSTR=35A@mail.gmail.com>
<[email protected]>
Hi Tom,
Thank you for the detailed review and for explaining the security team's
earlier discussion.
You're absolutely right, I missed the schema-qualified name case.
quote_identifier('myschema.mytable') would produce "myschema.mytable"
treating the dot as part of the identifier, which would silently break
existing valid triggers. That's a real regression, and I withdrew the patch.
Understood that the security team's position is documentation rather than a
code fix given these constraints. Thanks again for taking the
time to explain the reasoning.
Regards,
Amjad
On Fri, Jun 5, 2026 at 5:06 AM Tom Lane <[email protected]> wrote:
> Amjad Shahzad <[email protected]> writes:
> > Patch attached for the issue reported above.
>
> I don't think we can just blindly "quote_identifier" all these
> strings. As an example, suppose somebody has set the relname
> argument of a trigger to 'myschema.mytable'. Their code works
> fine today, and is perfectly secure, and your patch would break it.
> Mixed-case identifiers are another trouble spot where quoting
> could change the meaning of valid code.
>
> The pgsql-security team already discussed these issues while preparing
> the recent CVEs in this area, and concluded that the only workable
> path forward is to add documentation explaining that these arguments
> are handled as fragments of SQL query text. So any required quoting
> is up to the calling application. Fortunately, trigger arguments are
> not the sort of thing that's likely to be taken blindly from untrusted
> input.
>
> regards, tom lane
>
view thread (3+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: BUG #19510: refint.c: SQL injection via unquoted identifier arguments in check_primary_key and check_foreign_key
In-Reply-To: <CADHzGZTsdeo9pBVbeSTn2p3rgRdWN3ijiDU5QkyfLK6+MxihwQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox