Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wNmZK-0013Td-2E for pgsql-bugs@arkaria.postgresql.org; Fri, 15 May 2026 07:02:46 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wNmYK-00Go7F-22 for pgsql-bugs@arkaria.postgresql.org; Fri, 15 May 2026 07:01:44 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wNhNT-00FqXf-2r for pgsql-bugs@lists.postgresql.org; Fri, 15 May 2026 01:30:12 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wNhNP-00000000flz-3qCv for pgsql-bugs@lists.postgresql.org; Fri, 15 May 2026 01:30:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:Cc:From:To:Subject: Content-Transfer-Encoding:MIME-Version:Content-Type:Sender:Content-ID: Content-Description:In-Reply-To:References; bh=iGQxibrdvujhX97G4e3IkrGmkJSZrkW/VmI2HeT5qZo=; b=vbHTso10Fx4wODqS6G4H8ETndI eLhG9L2f35rTOFCtF428RuTpv2zhZ/jm4YUN8a79nuRQwIyk+0RWVrVLLF0VC4NHSzcXNIMwPkeGS 4MF6cf+4lvNTBKKAwKA2Yhx3m5z938MjxNCqpEk+HUsM0aVTt/4OkNVAC2ncLUY69wc+chjzn7qDt C5s7ooNif68RQuF9LyDCZ/co+QrsFQWbb3+jbqPlDI3TupYj/LSSDt4npncEG/tqB3QkiEsyMpXNo vUfnibTdWSwScYYGv7vHgNu8a8TgepM4hwuzpjIvJ+7Caus9iIWJ502uiysMivXe9ACojC+cMy+39 ByDbgmmg==; Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wNhNN-001o0V-2Z for pgsql-bugs@lists.postgresql.org; Fri, 15 May 2026 01:30:06 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wNhNL-003bEo-39 for pgsql-bugs@lists.postgresql.org; Fri, 15 May 2026 01:30:03 +0000 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Subject: BUG #19478: `dblink_close` can be used for injection. To: pgsql-bugs@lists.postgresql.org From: PG Bug reporting form Cc: zengman@halodbtech.com Reply-To: zengman@halodbtech.com, pgsql-bugs@lists.postgresql.org Date: Fri, 15 May 2026 01:29:54 +0000 Message-ID: <19478-37289e8b0d1a1299@postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk The following bug has been logged on the website: Bug reference: 19478 Logged by: Man Zeng Email address: zengman@halodbtech.com PostgreSQL version: 18.4 Operating system: 24.04.1-Ubuntu Description: =20 Hi all, I think we can impose stricter restrictions on the parameters of `dblink_close`. For example, when calling `dblink_close`, certain operations can be achieved through SQL concatenation, which I believe is unexpected behavior. ```sql postgres@zxm-VMware-Virtual-Platform:~/Z-Xiao-M$ psql psql (19devel) Type "help" for help. postgres=3D# \c test You are now connected to database "test" as user "postgres". test=3D# CREATE EXTENSION IF NOT EXISTS dblink; CREATE EXTENSION test=3D# SELECT dblink_connect('c', 'dbname=3D' || current_database()); dblink_connect ---------------- OK (1 row) test=3D# SELECT dblink_open('c', 'cur', 'SELECT 1'); dblink_open ------------- OK (1 row) test=3D# -- CLOSE: CREATE TABLE test=3D# SELECT dblink_close('c', 'cur; CREATE TABLE hacked(id int); --'); dblink_close -------------- OK (1 row) test=3D# \d+ hacked Table "public.hacked" Column | Type | Collation | Nullable | Default | Storage | Compression | Stats target | Description --------+---------+-----------+----------+---------+---------+-------------= +--------------+------------- id | integer | | | | plain | | | Access method: heap test=3D# SELECT dblink_disconnect('c'); dblink_disconnect ------------------- OK (1 row) test=3D# SELECT dblink_connect('c', 'dbname=3D' || current_database()); dblink_connect ---------------- OK (1 row) test=3D# SELECT dblink_open('c', 'cur', 'SELECT 1'); dblink_open ------------- OK (1 row) test=3D# -- CLOSE: DROP TABLE test=3D# SELECT dblink_close('c', 'cur; DROP TABLE hacked; --'); dblink_close -------------- OK (1 row) test=3D# \d+ hacked Did not find any relation named "hacked". test=3D# ``` This is my SQL for reproducing the problem. ```sql CREATE EXTENSION IF NOT EXISTS dblink; SELECT dblink_connect('c', 'dbname=3D' || current_database()); SELECT dblink_open('c', 'cur', 'SELECT 1'); -- CLOSE: CREATE TABLE SELECT dblink_close('c', 'cur; CREATE TABLE hacked(id int); --'); SELECT dblink_disconnect('c'); \d+ hacked SELECT dblink_connect('c', 'dbname=3D' || current_database()); SELECT dblink_open('c', 'cur', 'SELECT 1'); -- CLOSE: DROP TABLE SELECT dblink_close('c', 'cur; DROP TABLE hacked; --'); \d+ hacked SELECT dblink_disconnect('c'); ``` The solution to this problem is also very simple. ``` postgres@zxm-VMware-Virtual-Platform:~/code/postgres/contrib$ git diff diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c index 9798cb535bc..0a9334aa160 100644 --- a/contrib/dblink/dblink.c +++ b/contrib/dblink/dblink.c @@ -543,7 +543,7 @@ dblink_close(PG_FUNCTION_ARGS) =20 conn =3D rconn->conn; =20 - appendStringInfo(&buf, "CLOSE %s", curname); + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname)); =20 /* close the cursor */ res =3D libpqsrv_exec(conn, buf.data, dblink_we_get_result); ``` This is the feedback from the security team. ``` Thanks for your report. We consider dblink_close() to be caller-trusted, and thus this is not considered a security vulnerability. Feel free to resubmit to pgsql-bugs@lists.postgresql.org. ``` Any thought? -- regards, Man Zeng