From: Marcos Magueta <maguetamarcos@gmail.com>
Message-Id: <89DE974B-F318-4D0A-A60B-51EDE84054E2@gmail.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_6079A500-3B0A-43AA-9990-97A8D27C66E6"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.300.41.1.7\))
Subject: Re: WIP - xmlvalidate implementation from TODO list
Date: Fri, 2 Jan 2026 15:07:24 -0300
In-Reply-To: <CALdSSPhFzYCp=Aa8AAboz6TQaTmjWciQGfrEJQeOOO+0pD1GGw@mail.gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
To: Kirill Reshke <reshkekirill@gmail.com>
References: <CAN3aFCdx8AapWSVpJ1kaC7OC_v7QwbjgbGw9WfPBBY2GMyOadQ@mail.gmail.com>
 <CALdSSPjxLU+zhWx+CgwN+VHoHTso33trY6mse1A6Jks7hWAdrA@mail.gmail.com>
 <CAN3aFCesNDiL-iZg4imC0n+NgT3JywqZYkuGH83u8ssLjJ-p5Q@mail.gmail.com>
 <CAN3aFCfvVgXr77o=dB_E2kSCY+EgckSQbSBdd_N9n-LauWuQLw@mail.gmail.com>
 <CAN3aFCcx_w5Ldb+SYurwd31es9hOJqLuKARQHHDOk7+5iOqBWQ@mail.gmail.com>
 <CALdSSPhFzYCp=Aa8AAboz6TQaTmjWciQGfrEJQeOOO+0pD1GGw@mail.gmail.com>
Archived-At: <https://www.postgresql.org/message-id/89DE974B-F318-4D0A-A60B-51EDE84054E2%40gmail.com>
Precedence: bulk


--Apple-Mail=_6079A500-3B0A-43AA-9990-97A8D27C66E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On 1 Jan 2026, at 05:25, Kirill Reshke <reshkekirill@gmail.com> wrote:
>=20
>=20
>=20
> On Thu, 1 Jan 2026, 01:27 Marcos Magueta, <maguetamarcos@gmail.com =
<mailto:maguetamarcos@gmail.com>> wrote:
>> Hello again!
>>=20
>> Is there any interest in this? I understand PostgreSQL has bigger =
fish to fry, but I would like to at least know; in case this was just =
forgotten.
>>=20
>> Regards!
>>=20
>> Em sex., 19 de dez. de 2025 =C3=A0s 00:25, Marcos Magueta =
<maguetamarcos@gmail.com <mailto:maguetamarcos@gmail.com>> escreveu:
>>> Hello again!
>>>=20
>>> I took some time to actually finish this feature. I think the =
answers
>>> for the previous questions are now clearer. I checked the
>>> initialization and the protections are indeed in place since commit
>>> a4b0c0aaf093a015bebe83a24c183e10a66c8c39, which specifically states:
>>>=20
>>> > Prevent access to external files/URLs via XML entity references.
>>>=20
>>> > xml_parse() would attempt to fetch external files or URLs as =
needed to
>>> > resolve DTD and entity references in an XML value, thus allowing
>>> > unprivileged database users to attempt to fetch data with the =
privileges
>>> > of the database server.  While the external data wouldn't get =
returned
>>> > directly to the user, portions of it could be exposed in error =
messages
>>> > if the data didn't parse as valid XML; and in any case the mere =
ability
>>> > to check existence of a file might be useful to an attacker.
>>> >=20
>>> > The ideal solution to this would still allow fetching of =
references that
>>> > are listed in the host system's XML catalogs, so that documents =
can be
>>> > validated according to installed DTDs.  However, doing that with =
the
>>> > available libxml2 APIs appears complex and error-prone, so we're =
not going
>>> > to risk it in a security patch that necessarily hasn't gotten wide =
review.
>>> > So this patch merely shuts off all access, causing any external =
fetch to
>>> > silently expand to an empty string.  A future patch may improve =
this.
>>>=20
>>> With that, the obvious affordance on the xmlvalidate implementation
>>> was to not rely on external schema sources on the host
>>> catalog. Therefore the implementation relies solely on expressions
>>> that necessarily evaluate to a schema in plain text.
>>>=20
>>> I added the requested documentation and a bunch of tests for each
>>> scenario. I would appreciate another round of reviews whenever =
someone
>>> has the time and patience.
>>>=20
>>> At last, to nourish the curiosity: I had issues with make check, as
>>> stated above on the e-mail thread. These got resolved when I changed
>>> `execl` to `execlp` on `pg_regress.c`. I of course did not commit
>>> such, but more people I know have had the very same issue while
>>> relying on immutable package managers.
>=20
>=20
> Hi!
> First of all, please do not top post  =F0=9F=99=8F . Use down-posting.
>=20
> About general interest in feature - I suspect that we as a community =
generally interested in implementing items from TODO list. This feature =
also increases SQL standard compatibility. But I am myself not a big =
SQL/XML user, so I can only give limited review here. I also did not =
have much time last month. I will try to find my cycles to give another =
look here.=20

Thank you very much for reaching back. Sorry about the bad e-mail =
etiquette, hopefully it=E2=80=99s corrected now.

About the patch, let me know if you find the time to review!

Thanks once again!


--Apple-Mail=_6079A500-3B0A-43AA-9990-97A8D27C66E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html aria-label=3D"message body"><head><meta http-equiv=3D"content-type" =
content=3D"text/html; charset=3Dutf-8"></head><body =
style=3D"overflow-wrap: break-word; -webkit-nbsp-mode: space; =
line-break: after-white-space;"><br =
id=3D"lineBreakAtBeginningOfMessage"><div><br><blockquote =
type=3D"cite"><div>On 1 Jan 2026, at 05:25, Kirill Reshke =
&lt;reshkekirill@gmail.com&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div><div dir=3D"auto"><div =
dir=3D"auto"><br><br><div class=3D"gmail_quote =
gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, 1 =
Jan 2026, 01:27 Marcos Magueta, &lt;<a =
href=3D"mailto:maguetamarcos@gmail.com">maguetamarcos@gmail.com</a>&gt; =
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div =
dir=3D"ltr"><div><div>Hello again!<br></div><br>Is there any interest in =
this? I understand PostgreSQL has bigger fish to fry, but I would like =
to at least know; in case this was just =
forgotten.<br><br></div>Regards!</div><br><div class=3D"gmail_quote"><div =
dir=3D"ltr" class=3D"gmail_attr">Em sex., 19 de dez. de 2025 =C3=A0s =
00:25, Marcos Magueta &lt;<a href=3D"mailto:maguetamarcos@gmail.com" =
target=3D"_blank" rel=3D"noreferrer">maguetamarcos@gmail.com</a>&gt; =
escreveu:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Hello =
again!<br><br>I took some time to actually finish this feature. I think =
the answers<br>for the previous questions are now clearer. I checked =
the<br>initialization and the protections are indeed in place since =
commit<br>a4b0c0aaf093a015bebe83a24c183e10a66c8c39, which specifically =
states:<br><br>&gt; Prevent access to external files/URLs via XML entity =
references.<br><br>&gt; xml_parse() would attempt to fetch external =
files or URLs as needed to<br>&gt; resolve DTD and entity references in =
an XML value, thus allowing<br>&gt; unprivileged database users to =
attempt to fetch data with the privileges<br>&gt; of the database =
server.&nbsp; While the external data wouldn't get returned<br>&gt; =
directly to the user, portions of it could be exposed in error =
messages<br>&gt; if the data didn't parse as valid XML; and in any case =
the mere ability<br>&gt; to check existence of a file might be useful to =
an attacker.<br>&gt; <br>&gt; The ideal solution to this would still =
allow fetching of references that<br>&gt; are listed in the host =
system's XML catalogs, so that documents can be<br>&gt; validated =
according to installed DTDs.&nbsp; However, doing that with the<br>&gt; =
available libxml2 APIs appears complex and error-prone, so we're not =
going<br>&gt; to risk it in a security patch that necessarily hasn't =
gotten wide review.<br>&gt; So this patch merely shuts off all access, =
causing any external fetch to<br>&gt; silently expand to an empty =
string.&nbsp; A future patch may improve this.<br><br>With that, the =
obvious affordance on the xmlvalidate implementation<br>was to not rely =
on external schema sources on the host<br>catalog. Therefore the =
implementation relies solely on expressions<br>that necessarily evaluate =
to a schema in plain text.<br><br>I added the requested documentation =
and a bunch of tests for each<br>scenario. I would appreciate another =
round of reviews whenever someone<br>has the time and =
patience.<br><br>At last, to nourish the curiosity: I had issues with =
make check, as<br>stated above on the e-mail thread. These got resolved =
when I changed<br>`execl` to `execlp` on `pg_regress.c`. I of course did =
not commit<br>such, but more people I know have had the very same issue =
while<br>relying on immutable package managers.</div>
</blockquote></div>
</blockquote></div></div><br><br><div class=3D"gmail_quote =
gmail_quote_container" dir=3D"auto"><div dir=3D"ltr" =
class=3D"gmail_attr">Hi!</div><div dir=3D"ltr" class=3D"gmail_attr">First =
of all, please do not top post&nbsp; =F0=9F=99=8F . Use =
down-posting.</div><div dir=3D"ltr" class=3D"gmail_attr"><br></div><div =
dir=3D"ltr" class=3D"gmail_attr">About general interest in feature - I =
suspect that we as a community generally interested in implementing =
items from TODO list. This feature also increases SQL standard =
compatibility. But I am myself not a big SQL/XML user, so I can only =
give limited review here. I also did not have much time last month. I =
will try to find my cycles to give another look =
here.&nbsp;</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div =
class=3D"gmail_quote"><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">
</blockquote></div>
</blockquote></div></div>
</div></blockquote><br></div><div>Thank you very much for reaching back. =
Sorry about the bad e-mail etiquette, hopefully it=E2=80=99s corrected =
now.</div><div><br></div><div>About the patch, let me know if you find =
the time to review!</div><div><br></div><div>Thanks once =
again!</div><br></body></html>=

--Apple-Mail=_6079A500-3B0A-43AA-9990-97A8D27C66E6--