Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wOoO5-000BzJ-1o
	for pgsql-bugs@arkaria.postgresql.org;
	Mon, 18 May 2026 03:11:25 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wOoN3-000v7R-1M
	for pgsql-bugs@arkaria.postgresql.org;
	Mon, 18 May 2026 03:10:22 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <japinli@hotmail.com>)
	id 1wOoN2-000v7I-3B
	for pgsql-bugs@lists.postgresql.org;
	Mon, 18 May 2026 03:10:22 +0000
Received: from
 mail-australiaeastazolkn19011061.outbound.protection.outlook.com
 ([52.103.72.61] helo=SY2PR01CU004.outbound.protection.outlook.com)
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <japinli@hotmail.com>)
	id 1wOoN1-000000006gx-1NKg
	for pgsql-bugs@lists.postgresql.org;
	Mon, 18 May 2026 03:10:20 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=H3PqpGjzy8RLVO4HzTFN2WvUTS95VjWI/VZMMChmQvT15DmCgtotOqyVewprcYSXzIYbezdfGNblmwr+Hvq67pvatgkaw+Tk0ZiVpZ//nuM2Lr1JTtX6JhJgvidZtDbv+1jRNXOp59CYrTvEYQIxbTnJpAGuq1phPIMM0g4Ktfj+6ml9rm5ns16WXFjN75xkVeass703Xps2QB/gipwBGIOY+mZuqyLP4vdxU0QpbOrZHqcsSx3VOinR+EEj2Ypz9KDDKGm03WQzjFmmHKv+KWMukQeQu30fuBhOaO2Bl5pzP0gSjC5JwHwvqOCRku1ZbNWYGTae8In6agdspE67aA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=1vAj0eWC6RaRxD4rnfC32+ZAW/TZATLj1G4WS9FUAbY=;
 b=I6MF+vbNVhaA/K8LIbm0lJKkjmrwla/sx/gYeZDShhsUO63k05wGBOm1YHlgCufVXg9Ms7LSubzfm0CfWmdRes4MzNGCRNweI4AQYF7o2siHVjsXFt8oPthADaHUNcRAeeQtXoIPeQBRdwCFWCWt+5PKTaDzPKZop0tKWVwMpB0DuPGMR2rhCor7TeS9djq2JCx6u3o6Unzgrk3Li3jAWtws259ZqDylYk4VlrTMaOpzLobDyZYujwFGUk5oEYuHrzIjeefmRaVOjpA1q5TpWShrrIyBj7vcxZrnsGgx8yPLhsUfrbkyPD8iCrBODm8DPxuXrRbQL9lFa2ckVhIhAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=1vAj0eWC6RaRxD4rnfC32+ZAW/TZATLj1G4WS9FUAbY=;
 b=pIbkCN5EXYfZg4wWgIzEgcs64M62b+SQrw47gwvv+sA24KzUJDKGba+CpTXMy6nzuFxmi7hSLAE/oaSodE3dU8k+nISv/coIdLLbZi4c6Ca8TNlg7at/faXRWPoyfpH28xKMk7ycdc1OX30ym/WodVyZawFxrP2ZbFkZZ2rtcnyCQlwoELpFz4LstdfonscDnmRznZtFRICDQpA392a/mlMecRwDo+MxeneqMZsDqzWpx79+G4KS/2s3sTjXoNLJ5E9SElFvLmgrY2WSOWSh/DdmbxWupdYfHwuhxMF4WY8DWsitCgWYCObficZIFTcS9NfQvk8GaJiQmBN8V3SPEw==
Received: from SY7PR01MB10921.ausprd01.prod.outlook.com (2603:10c6:10:334::16)
 by MEYPR01MB6927.ausprd01.prod.outlook.com (2603:10c6:220:14e::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.23; Mon, 18 May
 2026 03:10:12 +0000
Received: from SY7PR01MB10921.ausprd01.prod.outlook.com
 ([fe80::7908:e00:4ab1:d120]) by SY7PR01MB10921.ausprd01.prod.outlook.com
 ([fe80::7908:e00:4ab1:d120%5]) with mapi id 15.21.0025.022; Mon, 18 May 2026
 03:10:12 +0000
From: Japin Li <japinli@hotmail.com>
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Kirill Reshke <reshkekirill@gmail.com>,  PostgreSQL mailing lists
 <pgsql-bugs@lists.postgresql.org>,  zengman <zengman@halodbtech.com>
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
In-Reply-To: 
 <CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>
	(David G. Johnston's message of "Fri, 15 May 2026 21:28:56 -0700")
References: <19478-37289e8b0d1a1299@postgresql.org>
	<SY7PR01MB1092112D26F767633CF783E88B6052@SY7PR01MB10921.ausprd01.prod.outlook.com>
	<CALdSSPjBpUfY=S2i_3ACqF7YUJ=po1TDwYnDPDx38=j8LKXj7g@mail.gmail.com>
	<CAKFQuwYHJEUrGCyMoCnZFV9CCtCBMp0dTTRxEuCTW2RZMLq4Tw@mail.gmail.com>
User-Agent: mu4e 1.12.12; emacs 29.3
Date: Mon, 18 May 2026 11:10:04 +0800
Message-ID: 
 <SY7PR01MB109210EEFFFD92EB4C223211EB6032@SY7PR01MB10921.ausprd01.prod.outlook.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: SE2P216CA0124.KORP216.PROD.OUTLOOK.COM
 (2603:1096:101:2c7::8) To SY7PR01MB10921.ausprd01.prod.outlook.com
 (2603:10c6:10:334::16)
X-Microsoft-Original-Message-ID: <87pl2te7lf.fsf@hotmail.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SY7PR01MB10921:EE_|MEYPR01MB6927:EE_
X-MS-Office365-Filtering-Correlation-Id: d0b1e0d9-cfd1-4f67-0ebc-08deb48af82f
X-Microsoft-Antispam: 
	BCL:0;ARA:14566002|15080799012|19110799012|8060799015|8022599003|41001999006|23021999003|6090799003|5072599009|22091999003|24121999003|24021099003|55001999006|10035399007|4302099013|3412199025|440099028|20061999003|30101999006|26121999007|1602099012;
X-Microsoft-Antispam-Message-Info: 
	=?utf-8?B?TUNuTjcxZENJcWZvS2xmVkdsSHcwWHp5RnU0ZmdMU0pPT0t2b294K1ZobmY3?=
 =?utf-8?B?QzlabmNyU25JMUZ0d3JyaGxmU1JlcmtHck9RUUJQQ1EwMFN6QVBnWXMwTzI1?=
 =?utf-8?B?L1VGOENyU1BxSVViY1U4UGpMLzVVRlRhakJTNURXUGRGSUs0STIvZldGdzF5?=
 =?utf-8?B?Um9LRHMyWGpvOGhNTkV3WGExMmxJVlJXOTJOWGN1MVo1c1BPeXpRYTNXMmxn?=
 =?utf-8?B?clhpQnRMdzFWQ0YzSEpFSDA0YjVpdlBNNStNWmQ2UGZlNlFycTJoaEh0SG95?=
 =?utf-8?B?VWJWejJYdi9UN2grZkRUVVQzTlhFWjRIejAyS1RXY2c1a0pMSEtWTFh6bHcr?=
 =?utf-8?B?TFVHNHluNFpXK3FJNTBCTEg5QVRyc3Jaa3FlTHI2L3hLRjdldjBDMUZSY3RF?=
 =?utf-8?B?L3ltTFEwNU1UbWYyTUxyRWF5S0h2MGJQNG5ZODRlQmZ0T21ucHE4Z00wajRk?=
 =?utf-8?B?aUkwWjdNbnBkc242MTRleFoxQk5kaDRScG5DTGZ3T1BTaStqamxSNlpEMndw?=
 =?utf-8?B?NFZzdFRQeVJ4dzNWTTFxU0EvbkFhcklhTVJnQTVsTGxFeklFTWpUc1p1UlJG?=
 =?utf-8?B?anF6UkhNa2MxcVhtMDZPbFk1U21OcHUySTc3c0dDOXBXem1Ca3laZUZHblJ0?=
 =?utf-8?B?OWYvY00rL2QxenQydnk0QWQyU2RkZHdPbFVxMTY1NkdFdGI0SURrd1ZGZHdY?=
 =?utf-8?B?MHcwcUR2QVRlVngrOU9vMU5UTFFMQkk4aUxESVFFbFU0eExuTTV5UnpNR1ZP?=
 =?utf-8?B?c0xRQXBlZTRsL0Y1c1E5b3JWN3kzRXZhaDh6M1I5d1l0V1BnaURCL2lMQnlV?=
 =?utf-8?B?MGJDWkZhS3NWTG9sb1NYYzV4bHJ6U0F6Zno5TUZMQk9UTlVKSDZoLys5R3JQ?=
 =?utf-8?B?ZHYzWDBUeVdXVzg2eGJKb2Y5ZzFGSFZ3djFYMFFwZXA4RkNNM3dENW1EeS95?=
 =?utf-8?B?VEphdGJrT0JCUktJVzVOYXRyTDlEZVNZY3owOVVlQ0R0eTZkclZiVTVZdU9a?=
 =?utf-8?B?RkZZeDVXWDc0dzZ0TkRiRDNHZkNyeWU4RWQ4OXNIZ09UMEhLak1uZTI3alEy?=
 =?utf-8?B?YjNyMGZxN2lObG1IVjJWYjZEMzBlblU4bXdIblpIMVk3azVuT1BxQjJmcTZ0?=
 =?utf-8?B?clZ2RENWK1lLYVFHcHQ2ZHBqaHJ1WVovd3BIVWN3QUIxV1JUSVJGeCtHcytw?=
 =?utf-8?B?Z0V1TVA1NmFDVm1waENZWmJvMUJSUGpmR2duWkk5SDVyVVFXTkY1cEpYQlhI?=
 =?utf-8?B?YWJuMEFnczk5aVBoWUlscFZ1ZFMwU2I4b1k4blRmMjY1Zy9HQVBjc3orZ1FM?=
 =?utf-8?B?ZVVrb2Q3SlRKMEtBK3BIMm5rdmJqbzVFSHFBM2lvRStpbE1tTHFqc2RiSDRG?=
 =?utf-8?B?N00xVzBpY0J1dklLOC9ZV2ozYkNpWGdKaThuU2x1dVpxT2lPMm5abjg3S29R?=
 =?utf-8?B?LzJXbVhCS0dlaEJrUlZjQlhjeFF2SW1BRGFZNkI5UTdKblR2NWphRHEwbkJS?=
 =?utf-8?B?Vmd6eFZyNms2VERPVHhSUGM4VFBZZ0N4TVhoNldmd2dqTGplN1FGelZtVmJ1?=
 =?utf-8?B?RXE5eGpyYzkwSlFURFEvSjkzUTBPYjdSQ2Zla1QxZ1UwY3ZIZlNNSzk2K0Zq?=
 =?utf-8?B?Wkg4a01MM2kzd2lXOWtxalVsK2xzNjY2QW5Wc3lmcHp5VExaejN3azZTRXpx?=
 =?utf-8?Q?4oBqoU5mg4BZK8hu1SL3?=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?utf-8?B?MmFXeUo1UUpOV2U0OWdXUkdubmdtdStqV0F5c1haclNSckpkU2tXVmp0ejJN?=
 =?utf-8?B?TVhiWWMxVGhqaEV6K29qaEE1ZDV5TzVOd0w5ckdyUEpFeHZDZmx2aGtueHB1?=
 =?utf-8?B?cE9VZ2xtK3RBRUd6cXJtemp1QjBZUWxxQi84RWc0SGMvYW11L2g2d2s0cFpN?=
 =?utf-8?B?T3A0NnVBQWZxcEpUVjJ1YnNQU2VIbjJSUmxZcVFUL2dOTHRjWS9NdmttMGtj?=
 =?utf-8?B?d3l2VUJvWWVjY0pJUTl2OUVxeDI2cURPSm5NVTY3bm9jUnNtaFE5RGJhRUFm?=
 =?utf-8?B?Vmh4ZmVpUWMzTUcrWjQ4M2hyWXJEZEpvTDlCZVpPeGU1QzRFVm1weFNRa3Fv?=
 =?utf-8?B?TzZyM1hGanEwcmpjYm9oNzVWWTRhVjkycmVMRFk1ajVnUUQxU25RRzN6eHRI?=
 =?utf-8?B?VWVVemNuK0c2UURZQkxtdk9DeEpUNWJsdnU4S3IvVzg4MDJBUWNNUEtDQmlp?=
 =?utf-8?B?YVRnRzQ4VFl5UTVoSE1rNEpEVkFwa2srVEFhd2RRZloxREp2dkdxS1VFenl6?=
 =?utf-8?B?UDh4ZUdMVXpRMGFyKzRPN1pGWUE4TUdMVWxvc2ZvTUlLTHdVZVRoN0hWazdZ?=
 =?utf-8?B?TFZZa1ZYQnd0cjNIR2lBQmkwc2lZcy9pamRQd1hBVVlsUkg2dmh1WEplR2tr?=
 =?utf-8?B?djRnM2Zqa2N4dGNDR092OUlGS2tidmRrc2F3anV3NjRZYWtOcVB4SmlMK3FK?=
 =?utf-8?B?d3g4N1RPVjRhS0QvUXNoL21ZaHRTbTdBL0RTSHRSZnh1UDVieVI2VjVJVWlU?=
 =?utf-8?B?UEpyaURDWXpvRExXRERkcVl5bnJ5cTUvbnNLN25IbWF3TGFDVG43dkhRbmNy?=
 =?utf-8?B?cVN4Y3IvTEZzY2lXeG8xWkh2M01pOGRhYkxxNmRRWVpuTjYzclJoT04wN3Ba?=
 =?utf-8?B?SGI1aENWOXZBS2pyWndLT1BnK1BiZVl6cGtpWXpKWHNBU3hDeXdXNHA3Z2I0?=
 =?utf-8?B?djl5VlVxSkh1UjQ2Ui9BSTJYS0ZTYlJtMVRtblY2OThuTHhtMEUycDJ2QnBC?=
 =?utf-8?B?NXl6S3Qwa1hkYThzU2phcUNnTkwwOVVYWCtKMkFrMHd2KzlsZ1dQTnFMRmNO?=
 =?utf-8?B?RXVMRHNxMjFTZnQ2SHFnQWc0aWVNbzNtbE5BQTFYVXE1dEZ5bEJPQzVGd0xE?=
 =?utf-8?B?eXdxdVZJR3BlSERNNEVDTVdxQnA0d3dpK2JNSzF1SHFkTzZYYlp1V3RWMDU2?=
 =?utf-8?B?cGZDc2tGd1FaZGRRZ3lLS25LN1VIYnVpZG5oUE16RHRKWklqQjd6ZWVIcXZq?=
 =?utf-8?B?NkxQTzZlU2RBdmxPZjZFWnJTZThWTldYcm80U0lvMjZhelZ1MWhrejloR1Nx?=
 =?utf-8?B?b1JTOUtVNm9zRXR1VWJJeUwrSXRENGxveHFVOTQ1TU1EM0RaaFF4UEdKZzg1?=
 =?utf-8?B?MnJ6aUtuWlVyVkZYSEpPS2lSK1B3cDdkVldIdktNV2hRL3NYVjUwa0R5TDBY?=
 =?utf-8?B?bUZ5TEl2YnZEL3VwME1yQXk1R3RMQ01ab0sxaFdPOFJZY0RBa3lHZEJsa1pM?=
 =?utf-8?B?L0ZUSi9mT3ZpL01lUTE3aFErUDVBb3JXZDNBUHRXaWZwNGZiQytGRGI5UGlJ?=
 =?utf-8?B?c3M0YmkxWFRYY08zZWRUbEh5SHZ5VlVuQ2xEai9OQW5ld0RPNXkyRzlxL1BL?=
 =?utf-8?B?akpTOEIzSGdqQk1zTDMyeXR0aUR2czh2ZnVzaXpHR2VPd2lZMnRjL1F3NFJv?=
 =?utf-8?B?VDdXKzE0L0hVVjdwRGN2YzZWc3JyL2FGVWhWYk1KaTU3Nlp5ZVdTS1NTT3dY?=
 =?utf-8?B?VTcvc1ZGU1hGQ3NOZTdHNTJZNlRNVmxvUUNreU5QanFtTUNhUndZbjU2NVdl?=
 =?utf-8?B?MGpkT01iV2g2bTFXZ2RqQ20xZmFGaVNuK2VJMW9YVEVoSitONGs3NXdoUFc0?=
 =?utf-8?Q?vIax88obgmTdH?=
X-OriginatorOrg: sct-15-20-9412-4-msonline-outlook-feddd.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 d0b1e0d9-cfd1-4f67-0ebc-08deb48af82f
X-MS-Exchange-CrossTenant-AuthSource: SY7PR01MB10921.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 May 2026 03:10:12.1851
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEYPR01MB6927
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: 
 <https://www.postgresql.org/message-id/SY7PR01MB109210EEFFFD92EB4C223211EB6032%40SY7PR01MB10921.ausprd01.prod.outlook.com>
Precedence: bulk

On Fri, 15 May 2026 at 21:28, "David G. Johnston" <david.g.johnston@gmail.c=
om> wrote:
> On Friday, May 15, 2026, Kirill Reshke <reshkekirill@gmail.com> wrote:
>
>  On Sat, 16 May 2026, 06:24 Japin Li, <japinli@hotmail.com> wrote:
>
>  On Fri, 15 May 2026 at 01:29, PG Bug reporting form <noreply@postgresql.=
org> wrote:
>  > The following bug has been logged on the website:
>  >
>  > Bug reference:      19478
>  > Logged by:          Man Zeng
>  > Email address:      zengman@halodbtech.com
>  > PostgreSQL version: 18.4
>  > Operating system:   24.04.1-Ubuntu
>  > Description:       =20
>  >
>  >
>  > =20
>  > -       appendStringInfo(&buf, "CLOSE %s", curname);
>  > +       appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
>  > =20
>
>  According to the documentation [1], it should be a cursor name.  Wrappin=
g it
>  in quotes can prevent attacks like SQL injection.  I think your modifica=
tion
>  is correct, and we should add test cases for it.
>
>  [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>  =20
>
>  Well, is there any actual injection? I mean, if user can execute dblink_=
close, then user can do an SQL with
>  dblink_open and simply do a SQL? Unless wierd case when we only granted =
with close function, I guess
>
I think this is similar to SQL injection. However, no actual injection happ=
ened.

> Switching to quote_ident means we no longer lowercase an unquoted input. =
Is this improvement in api design worth the
> potential breakage?  If so, make sure we at least change the dblink_open =
(and fetch=E2=80=A6) code similarly.
>
> I=E2=80=99m disinclined to change this unless it=E2=80=99s shown the only=
 possible use of the identifier is within the dblink function
> arguments where can change all uses to quote_identifier.  Even then, inco=
nsistent capitalization still might exist.
>

I don't think the current implementation is acceptable.  Could we restrict =
the
cursor name to an identifier characters?

> David J.

--=20
Regards,
Japin Li
ChengDu WenWu Information Technology Co., Ltd.