Re: BUG #19478: `dblink_close` can be used for injection.

public inbox for pgsql-bugs@postgresql.org  
help / color / mirror / Atom feed

From: David G. Johnston <david.g.johnston@gmail.com>
To: Kirill Reshke <reshkekirill@gmail.com>
Cc: Japin Li <japinli@hotmail.com>
Cc: PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>
Cc: zengman <zengman@halodbtech.com>
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
Date: Fri, 15 May 2026 21:28:56 -0700
Message-ID: <CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com> (raw)
In-Reply-To: <CALdSSPjBpUfY=S2i_3ACqF7YUJ=po1TDwYnDPDx38=j8LKXj7g@mail.gmail.com>
References: <19478-37289e8b0d1a1299@postgresql.org>
	<SY7PR01MB1092112D26F767633CF783E88B6052@SY7PR01MB10921.ausprd01.prod.outlook.com>
	<CALdSSPjBpUfY=S2i_3ACqF7YUJ=po1TDwYnDPDx38=j8LKXj7g@mail.gmail.com>

On Friday, May 15, 2026, Kirill Reshke <reshkekirill@gmail.com> wrote:

>
>
> On Sat, 16 May 2026, 06:24 Japin Li, <japinli@hotmail.com> wrote:
>
>> On Fri, 15 May 2026 at 01:29, PG Bug reporting form <
>> noreply@postgresql.org> wrote:
>> > The following bug has been logged on the website:
>> >
>> > Bug reference:      19478
>> > Logged by:          Man Zeng
>> > Email address:      zengman@halodbtech.com
>> > PostgreSQL version: 18.4
>> > Operating system:   24.04.1-Ubuntu
>> > Description:
>> >
>> >
>> >
>> > -       appendStringInfo(&buf, "CLOSE %s", curname);
>> > +       appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
>> >
>>
>>
>> According to the documentation [1], it should be a cursor name.  Wrapping
>> it
>> in quotes can prevent attacks like SQL injection.  I think your
>> modification
>> is correct, and we should add test cases for it.
>>
>> [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>>
>
> Well, is there any actual injection? I mean, if user can execute
>> dblink_close, then user can do an SQL with dblink_open and simply do a SQL?
>> Unless wierd case when we only granted with close function, I guess
>>
>
Switching to quote_ident means we no longer lowercase an unquoted input.
Is this improvement in api design worth the potential breakage?  If so,
make sure we at least change the dblink_open (and fetch…) code similarly.

I’m disinclined to change this unless it’s shown the only possible use of
the identifier is within the dblink function arguments where can change all
uses to quote_identifier.  Even then, inconsistent capitalization still
might exist.

David J.

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-bugs@postgresql.org
  Cc: david.g.johnston@gmail.com, reshkekirill@gmail.com, japinli@hotmail.com, pgsql-bugs@lists.postgresql.org, zengman@halodbtech.com
  Subject: Re: BUG #19478: `dblink_close` can be used for injection.
  In-Reply-To: <CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox