public inbox for pgsql-bugs@postgresql.org
help / color / mirror / Atom feedFrom: Japin Li <japinli@hotmail.com>
To: David G. Johnston <david.g.johnston@gmail.com>
Cc: Kirill Reshke <reshkekirill@gmail.com>
Cc: PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>
Cc: zengman <zengman@halodbtech.com>
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
Date: Mon, 18 May 2026 11:10:04 +0800
Message-ID: <SY7PR01MB109210EEFFFD92EB4C223211EB6032@SY7PR01MB10921.ausprd01.prod.outlook.com> (raw)
In-Reply-To: <CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>
References: <19478-37289e8b0d1a1299@postgresql.org>
<SY7PR01MB1092112D26F767633CF783E88B6052@SY7PR01MB10921.ausprd01.prod.outlook.com>
<CALdSSPjBpUfY=S2i_3ACqF7YUJ=po1TDwYnDPDx38=j8LKXj7g@mail.gmail.com>
<CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>
On Fri, 15 May 2026 at 21:28, "David G. Johnston" <david.g.johnston@gmail.com> wrote:
> On Friday, May 15, 2026, Kirill Reshke <reshkekirill@gmail.com> wrote:
>
> On Sat, 16 May 2026, 06:24 Japin Li, <japinli@hotmail.com> wrote:
>
> On Fri, 15 May 2026 at 01:29, PG Bug reporting form <noreply@postgresql.org> wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 19478
> > Logged by: Man Zeng
> > Email address: zengman@halodbtech.com
> > PostgreSQL version: 18.4
> > Operating system: 24.04.1-Ubuntu
> > Description:
> >
> >
> >
> > - appendStringInfo(&buf, "CLOSE %s", curname);
> > + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
> >
>
> According to the documentation [1], it should be a cursor name. Wrapping it
> in quotes can prevent attacks like SQL injection. I think your modification
> is correct, and we should add test cases for it.
>
> [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>
>
> Well, is there any actual injection? I mean, if user can execute dblink_close, then user can do an SQL with
> dblink_open and simply do a SQL? Unless wierd case when we only granted with close function, I guess
>
I think this is similar to SQL injection. However, no actual injection happened.
> Switching to quote_ident means we no longer lowercase an unquoted input. Is this improvement in api design worth the
> potential breakage? If so, make sure we at least change the dblink_open (and fetch…) code similarly.
>
> I’m disinclined to change this unless it’s shown the only possible use of the identifier is within the dblink function
> arguments where can change all uses to quote_identifier. Even then, inconsistent capitalization still might exist.
>
I don't think the current implementation is acceptable. Could we restrict the
cursor name to an identifier characters?
> David J.
--
Regards,
Japin Li
ChengDu WenWu Information Technology Co., Ltd.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: pgsql-bugs@postgresql.org
Cc: japinli@hotmail.com, david.g.johnston@gmail.com, reshkekirill@gmail.com, pgsql-bugs@lists.postgresql.org, zengman@halodbtech.com
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
In-Reply-To: <SY7PR01MB109210EEFFFD92EB4C223211EB6032@SY7PR01MB10921.ausprd01.prod.outlook.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox