Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVIRR-001rPc-38 for pgsql-bugs@arkaria.postgresql.org; Fri, 05 Jun 2026 00:29:42 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wVIRO-009Rf3-2B for pgsql-bugs@arkaria.postgresql.org; Fri, 05 Jun 2026 00:29:38 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVIRO-009Rev-16 for pgsql-bugs@lists.postgresql.org; Fri, 05 Jun 2026 00:29:38 +0000 Received: from mail-yx1-xb131.google.com ([2607:f8b0:4864:20::b131]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wVIRL-00000001KW1-3IIg for pgsql-bugs@lists.postgresql.org; Fri, 05 Jun 2026 00:29:37 +0000 Received: by mail-yx1-xb131.google.com with SMTP id 956f58d0204a3-66061993294so1546578d50.3 for ; Thu, 04 Jun 2026 17:29:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780619373; cv=none; d=google.com; s=arc-20240605; b=g13wgrQgVX8OKGygJ1xtufPR4EPgn/3Jb2cE2MLViA0qX/yA4xOTAJLPyHmEK8LJIb IMYxkjsXvyPZCsGeJmjDnmAQip9TpI3qAyz8fS/KJq2Y6I2Rcdh8wC1eBh5oj/Twca+i Q8XUURO9kLNuAVWkeLDvEf1D5cx8cNdm12GzwpWkVH2tzhy/tWU7a+LRiZZhO+3OmCUH Ovkj8Faw0tL1u9pIRPuOvtOzlMHRqXW7IVQX+n+erHt3952ZgdL6sRld9DPyTF5XEdyC WvuqzpHYth77BUmgnwKVQ1q3247TGd9ZmV9cYWtkKYwddTbns85Pl5hvQZsokERKN82u s0aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=+/u/R90DLM11SPJwmUOVferxTChiKcTHBCcZ2+WKeiI=; fh=0RDAXHk0yJemOdK3Y7Q+L7ZRcOlW4zFkln66KQzlzk8=; b=g3GnIq8HsZl2FkxTceXmlqGRDBMSfTIJJbkqVZjeNFjyjYQH4xPqzUTwIcgFtsEJLO SPs+oqo0mq3u3a94osrBM6xOMNK8Ty5qRMjumE2JXM8aXIqplaY8WC0/D7PuR36Z/jNd G/XNZmrWEKXghyMhHUdpybZRnLKMoWeeCDlV20HBD6LQGH75xscbD36IpMl6eThO6WCF jm3+O18WWT14llEDAuyFb+G4HAgxzigOdhv4IYOVs5EJgwjrDegF+Olf9WjxYWFrg9M1 I4sxjBcc3kwccX6GOS6Vzv3ZlQ7fcHNPtPtXEZ5jodEybpM0IRsKCEAbP1PpoDQ2zrre h/AQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780619373; x=1781224173; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+/u/R90DLM11SPJwmUOVferxTChiKcTHBCcZ2+WKeiI=; b=mUHU8bCd8qeDwPX3YtwCI1x0J04ioUHtDojRqhKddtP5bLZZ/GohBUQ+IPWB+IAs+K 8011+Mbwv2c50WTbySslyah/IyrLfjqFpw02G3nmZWeUEVJ/T2pkGk0hHx5pLgZ1LbS5 JIaYulh9iRYZ+irM3quoIi0fhCkXE0GZNTqFz34NRcrveWidNtOtAd0SPrAbd0CIXcHb JN+X+HRroKx/WV6kHzNsm0Ab5pcZfWaouWeM4u+RPYzTecvY2hKyTZP/Pzzg0oFTuZ5j OiHAYx/heITDsP+zf2eiotpkTIkcHu29FQzK4EKb464NdJ6c10XCHJ3CvGRrCSbYtDOO 3sew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780619373; x=1781224173; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+/u/R90DLM11SPJwmUOVferxTChiKcTHBCcZ2+WKeiI=; b=NyfS5HFLis4XuZ07MScmIvMkf5On6ylvdbFLDnrY698zq4HVrdWsXFWZICzZf9DmY+ VI6nDXQoYb8bCrasOThHaWn+nK7LEatzz5eDnuwRe39rI81NcWzQMrljarWR4G1kGcF1 wIaGo2N/tBuEcZQYE4VbNihxDoXkBS3salIEFyMrf3qvEr3dCUpEp3S7kvHq+ZjuYleE 28swKJBMhEllB959oWFtGXplDN6ueEoycNW7e+0lsyXv9Jejezb2tpWOJyLx15YvhueZ qBy5F3hM7DVFUzG86aOF6lgQGnfKE6o9OByB7P48ICfO0vZaF/cqGyjWDlBU385IC2x1 838A== X-Gm-Message-State: AOJu0YwGTfFTVt4Dko3Nb2R5cd2IwGFZ91g0Kw/5D5siScP9xTR7vmbr 2ILVrSgitVwV+NQe8x2Q0zNKmazp7XDH+QGEoWFXRa7aCJguC6dWk7oME1qd6prnD7tbT4fixTd QdvsRDtN0jGYKLfT/CDlZWO9zUypOxVzoYcYQlNH+6A== X-Gm-Gg: Acq92OHrWGoezDzcSV+H61AMtUCh89qzqK9JlC5ECZ8FYYA/NJudYZMkFfVo8kRBLjF 8IJbX4bg6VCecPOzsakur1XtLt5eoSrZUclkmi83ovuz9p+k0thlVqJWSwMeehbN6bFDr2DgWxs wKUrbWWSq6721OHBun2pTa/uLKd2gwMWh5ar84N9RJ2AEgi5YWa0EaV3ubR0YKxW4kpvxMGoHoh G0bao46ZVj7KiDna5/VcOgjzdcjU7+ykHgNCB+jbRZlhctJAb7SOIxBrx8BUWwiFielmovCtD4F LKrb9dCKWw+L3DJ3hVgIh0naqBkUXcNWEhqVuftkIrnnpC35v33Y X-Received: by 2002:a05:690c:e1c:b0:7bd:a50c:4554 with SMTP id 00721157ae682-7ed0adc07c6mr12760437b3.17.1780619372970; Thu, 04 Jun 2026 17:29:32 -0700 (PDT) MIME-Version: 1.0 References: <19510-953c48eaf669350b@postgresql.org> <3539886.1780617976@sss.pgh.pa.us> In-Reply-To: <3539886.1780617976@sss.pgh.pa.us> From: Amjad Shahzad Date: Fri, 5 Jun 2026 05:29:16 +0500 X-Gm-Features: AVVi8CdUjtyTYkCPKvu8fvgXgNlUU9tpLtts-m4LZa0z7i06khBRYxf-k8QRE80 Message-ID: Subject: Re: BUG #19510: refint.c: SQL injection via unquoted identifier arguments in check_primary_key and check_foreign_key To: Tom Lane Cc: pgsql-bugs@lists.postgresql.org Content-Type: multipart/alternative; boundary="00000000000034c777065376c126" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000034c777065376c126 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Tom, Thank you for the detailed review and for explaining the security team's earlier discussion. You're absolutely right, I missed the schema-qualified name case. quote_identifier('myschema.mytable') would produce "myschema.mytable" treating the dot as part of the identifier, which would silently break existing valid triggers. That's a real regression, and I withdrew the patch= . Understood that the security team's position is documentation rather than a code fix given these constraints. Thanks again for taking the time to explain the reasoning. Regards, Amjad On Fri, Jun 5, 2026 at 5:06=E2=80=AFAM Tom Lane wrote: > Amjad Shahzad writes: > > Patch attached for the issue reported above. > > I don't think we can just blindly "quote_identifier" all these > strings. As an example, suppose somebody has set the relname > argument of a trigger to 'myschema.mytable'. Their code works > fine today, and is perfectly secure, and your patch would break it. > Mixed-case identifiers are another trouble spot where quoting > could change the meaning of valid code. > > The pgsql-security team already discussed these issues while preparing > the recent CVEs in this area, and concluded that the only workable > path forward is to add documentation explaining that these arguments > are handled as fragments of SQL query text. So any required quoting > is up to the calling application. Fortunately, trigger arguments are > not the sort of thing that's likely to be taken blindly from untrusted > input. > > regards, tom lane > --00000000000034c777065376c126 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Tom,

Thank you for the detailed review and for e= xplaining the security team's earlier discussion.

You're abs= olutely right, I missed the schema-qualified name case.
quote_identifier= ('myschema.mytable') would produce "myschema.mytable" tre= ating the dot as part of the identifier, which would silently break
exis= ting valid triggers. That's a real regression, and I withdrew the patch= .

Understood that the security team's position is documentation = rather than a code fix given these constraints. Thanks again for taking the=
time to explain the reasoning.

Regards,
Amjad

On Fri, Jun 5, 2026 at 5:06=E2=80=AFAM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Amjad Shahzad <amjadshahzad2000@gmail.com&= gt; writes:
> Patch attached for the issue reported above.

I don't think we can just blindly "quote_identifier" all thes= e
strings.=C2=A0 As an example, suppose somebody has set the relname
argument of a trigger to 'myschema.mytable'.=C2=A0 Their code works=
fine today, and is perfectly secure, and your patch would break it.
Mixed-case identifiers are another trouble spot where quoting
could change the meaning of valid code.

The pgsql-security team already discussed these issues while preparing
the recent CVEs in this area, and concluded that the only workable
path forward is to add documentation explaining that these arguments
are handled as fragments of SQL query text.=C2=A0 So any required quoting is up to the calling application.=C2=A0 Fortunately, trigger arguments are<= br> not the sort of thing that's likely to be taken blindly from untrusted<= br> input.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 regards, tom lane
--00000000000034c777065376c126--