public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: Kirill Reshke <[email protected]>
Cc: Japin Li <[email protected]>
Cc: PostgreSQL mailing lists <[email protected]>
Cc: zengman <[email protected]>
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
Date: Fri, 15 May 2026 21:28:56 -0700
Message-ID: <CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com> (raw)
In-Reply-To: <CALdSSPjBpUfY=S2i_3ACqF7YUJ=po1TDwYnDPDx38=j8LKXj7g@mail.gmail.com>
References: <[email protected]>
<SY7PR01MB1092112D26F767633CF783E88B6052@SY7PR01MB10921.ausprd01.prod.outlook.com>
<CALdSSPjBpUfY=S2i_3ACqF7YUJ=po1TDwYnDPDx38=j8LKXj7g@mail.gmail.com>
On Friday, May 15, 2026, Kirill Reshke <[email protected]> wrote:
>
>
> On Sat, 16 May 2026, 06:24 Japin Li, <[email protected]> wrote:
>
>> On Fri, 15 May 2026 at 01:29, PG Bug reporting form <
>> [email protected]> wrote:
>> > The following bug has been logged on the website:
>> >
>> > Bug reference: 19478
>> > Logged by: Man Zeng
>> > Email address: [email protected]
>> > PostgreSQL version: 18.4
>> > Operating system: 24.04.1-Ubuntu
>> > Description:
>> >
>> >
>> >
>> > - appendStringInfo(&buf, "CLOSE %s", curname);
>> > + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
>> >
>>
>>
>> According to the documentation [1], it should be a cursor name. Wrapping
>> it
>> in quotes can prevent attacks like SQL injection. I think your
>> modification
>> is correct, and we should add test cases for it.
>>
>> [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>>
>
> Well, is there any actual injection? I mean, if user can execute
>> dblink_close, then user can do an SQL with dblink_open and simply do a SQL?
>> Unless wierd case when we only granted with close function, I guess
>>
>
Switching to quote_ident means we no longer lowercase an unquoted input.
Is this improvement in api design worth the potential breakage? If so,
make sure we at least change the dblink_open (and fetch…) code similarly.
I’m disinclined to change this unless it’s shown the only possible use of
the identifier is within the dblink function arguments where can change all
uses to quote_identifier. Even then, inconsistent capitalization still
might exist.
David J.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
In-Reply-To: <CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox