public inbox for [email protected]
help / color / mirror / Atom feedFrom: Japin Li <[email protected]>
To: David G. Johnston <[email protected]>
Cc: Kirill Reshke <[email protected]>
Cc: PostgreSQL mailing lists <[email protected]>
Cc: zengman <[email protected]>
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
Date: Mon, 18 May 2026 11:10:04 +0800
Message-ID: <SY7PR01MB109210EEFFFD92EB4C223211EB6032@SY7PR01MB10921.ausprd01.prod.outlook.com> (raw)
In-Reply-To: <CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>
References: <[email protected]>
<SY7PR01MB1092112D26F767633CF783E88B6052@SY7PR01MB10921.ausprd01.prod.outlook.com>
<CALdSSPjBpUfY=S2i_3ACqF7YUJ=po1TDwYnDPDx38=j8LKXj7g@mail.gmail.com>
<CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>
On Fri, 15 May 2026 at 21:28, "David G. Johnston" <[email protected]> wrote:
> On Friday, May 15, 2026, Kirill Reshke <[email protected]> wrote:
>
> On Sat, 16 May 2026, 06:24 Japin Li, <[email protected]> wrote:
>
> On Fri, 15 May 2026 at 01:29, PG Bug reporting form <[email protected]> wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 19478
> > Logged by: Man Zeng
> > Email address: [email protected]
> > PostgreSQL version: 18.4
> > Operating system: 24.04.1-Ubuntu
> > Description:
> >
> >
> >
> > - appendStringInfo(&buf, "CLOSE %s", curname);
> > + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
> >
>
> According to the documentation [1], it should be a cursor name. Wrapping it
> in quotes can prevent attacks like SQL injection. I think your modification
> is correct, and we should add test cases for it.
>
> [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>
>
> Well, is there any actual injection? I mean, if user can execute dblink_close, then user can do an SQL with
> dblink_open and simply do a SQL? Unless wierd case when we only granted with close function, I guess
>
I think this is similar to SQL injection. However, no actual injection happened.
> Switching to quote_ident means we no longer lowercase an unquoted input. Is this improvement in api design worth the
> potential breakage? If so, make sure we at least change the dblink_open (and fetch…) code similarly.
>
> I’m disinclined to change this unless it’s shown the only possible use of the identifier is within the dblink function
> arguments where can change all uses to quote_identifier. Even then, inconsistent capitalization still might exist.
>
I don't think the current implementation is acceptable. Could we restrict the
cursor name to an identifier characters?
> David J.
--
Regards,
Japin Li
ChengDu WenWu Information Technology Co., Ltd.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
In-Reply-To: <SY7PR01MB109210EEFFFD92EB4C223211EB6032@SY7PR01MB10921.ausprd01.prod.outlook.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox