From: Japin Li <japinli@hotmail.com>
To: pgsql-bugs@lists.postgresql.org
Cc: zengman@halodbtech.com
Subject: Re: BUG #19478: `dblink_close` can be used for injection.
In-Reply-To: <19478-37289e8b0d1a1299@postgresql.org> (PG Bug reporting form's
	message of "Fri, 15 May 2026 01:29:54 +0000")
References: <19478-37289e8b0d1a1299@postgresql.org>
User-Agent: mu4e 1.12.12; emacs 29.3
Date: Sat, 16 May 2026 09:24:15 +0800
Message-ID: 
 <SY7PR01MB1092112D26F767633CF783E88B6052@SY7PR01MB10921.ausprd01.prod.outlook.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SY7PR01MB10921:EE_|SY9PR01MB10818:EE_
X-MS-Office365-Filtering-Correlation-Id: 96ae05ed-9cc9-488b-02b2-08deb2e9d9fa
X-Microsoft-Antispam: 
	BCL:0;ARA:14566002|41001999006|5072599009|22091999003|24121999003|55001999006|8060799015|19110799012|23021999003|8022599003|24021099003|15080799012|30101999006|1602099012|10035399007|26121999007|4302099013|3412199025|440099028|12091999003|20061999003;
X-Microsoft-Antispam-Message-Info: 
	=?us-ascii?Q?5qX44DULcFyMoUOIutXdXEkPJk4bmDrFphkdrPIIslCJq1luOhRbg2oVv9cn?=
 =?us-ascii?Q?0joIcqEcVLq0Ibe8/3jkAQg1AyU6XcDK5b9OP7NLLWZMUrx4PuSLTi2LQywC?=
 =?us-ascii?Q?Z7DwkZ8SeRo8EhPPWKsrX1LwudiFw0IZqUo7idN4MkCUuVWQY7DjTl9oENLq?=
 =?us-ascii?Q?StpitnOicH/5ElQ9ux8oA5ynAWvR8a24w4IU+1x6iFXXsHapXmJkh306Exl4?=
 =?us-ascii?Q?dNZoAkxBHdkhPkWr6UPhLtmlaqcSyrc+Xxtw8UJqa2Y/DFKiDVfHr93AdIrM?=
 =?us-ascii?Q?yHtunstnNJtd4/YZljiwi5+OvPPFh36e4zLy/jffalq8GeSpvDBnFnlufbLV?=
 =?us-ascii?Q?k7feNrqdxyRqf10pGgN4G+UtCimiPCX1JvjbZaPF66LLE9sdrQcAVtN/OEm8?=
 =?us-ascii?Q?A8gPOAheBHHTEboL0w530PvK+26np9au0oaLYoDilDXp4qUcvNcOA90llTIo?=
 =?us-ascii?Q?LOevNqGbN27zmXyFfin92uWIFAlFkcfFyugHH+R7Zx31GGtxBOIwn/EqQlYg?=
 =?us-ascii?Q?mcG5xjftqIKFNo5KOMBirrNS9146AgYAUlGLlUTwzLxn7pBJlMLq7TncHFZy?=
 =?us-ascii?Q?OeLjJnQFQujzV9AqqTo4ljTXsCH/t2H86pCnZhhSKF11WPIrFcaorviEgJBT?=
 =?us-ascii?Q?Ax25qGYg6gIZeAtlXsn9Mz1EDgfueBKOb/DPOtkORupeGiaT5cRSjsJh22Ho?=
 =?us-ascii?Q?1Kp70I8IhP8hb1KbIJWOu7UyMlbP/WKKOTKB8RinV+jbaeST3prNoAma5ClU?=
 =?us-ascii?Q?+9uYJi0Z+hMTFBUqzFb6WJ9kW2AX7OLpQW+skKlRyxQZtpTyTb6mS5ypCLSc?=
 =?us-ascii?Q?lo3qkWxztYHbMoE/+HHm3VtUgwOBYcM5WsfHKCiuClbydVnHnc6CPSam/RVq?=
 =?us-ascii?Q?5kttkRoTy5xfgytKWMMc4AC3IK0m1dpE9aKKSc82xQKJjAp5dHwTcs8f9tTc?=
 =?us-ascii?Q?7UdRUBsD4mmFnOOfciKGBFXkOYZ+2+/3xbLokgOxGq8KhM1W2cc6ZCL3PTmY?=
 =?us-ascii?Q?yMRkXSufbj+bRO3eXrkPW2j4xrQFzibHFHTeI3wlbRbnnh7LF+SNdLJOGMgJ?=
 =?us-ascii?Q?Nvr9pak2LpNLSmWOPoJVDtwf7SR0GrqPjF4tonvQqJyKkFnlXBSw/ZfiCXGU?=
 =?us-ascii?Q?Xid2YtCMl/iRuP8Ypmk22KPIB7utDeqviuNX/4njBb7mGT54F5qsRVpupQRf?=
 =?us-ascii?Q?to/Iw8I1rZ8S67Y2uaHmqS2o4t1fK4Zza7cXnWF4Abdtu8iFSAHb9QvisPhH?=
 =?us-ascii?Q?wvilC7QuN6CGSpR2iu+v?=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?us-ascii?Q?1TqHhUcWFgPKxw7P0uHlsoBvpWh2jFW/j2mYdSSmDiXIOAN18d/qIwi6iHOo?=
 =?us-ascii?Q?VrcBnVecsshrLqH7rU726RdggaNWuvL1xnQr2vrhXavvO6hVOocAGiEUgn2C?=
 =?us-ascii?Q?jeGAXzI1sREnbAYM52mC0OKwdqoudy1Vv+PwlQq0aCI8sPKFsj77iNCwSOkM?=
 =?us-ascii?Q?5+HqqYMIdpFlfnK4Lla5d06wIaCNedPdJgwUBZ9vg2qbeDvQwd3e6+Pygjql?=
 =?us-ascii?Q?B10/7l/4UQOjeyuj9dR1xgBGqt8k+vK4EMF0e3X3dvbTFzOconOYSoB9ptN7?=
 =?us-ascii?Q?aMIyP0k+VEtS/NWw2dGjqBKUZTup7Iz/9pC98oI8nhUVUX/wMXM4Kx/iElA3?=
 =?us-ascii?Q?4pbTMQtiJp91Gy/pIrIrC6uQwaiUTK1xce8EUliJGPbLSWerUtYGRwYr1ckL?=
 =?us-ascii?Q?CniutZAuIxKWYKcZiOWKvhWcsiazwlf/uRBJZ6Er8uH/oRv6Z5alyH8DFICv?=
 =?us-ascii?Q?R24vU5Uqr5xJP2Rtorc5ZReP2PcSh4Xrq9hJt+lq0S8v0W5gcAsn0GfO/zUr?=
 =?us-ascii?Q?acTkH7xNpXDeiLTXaHDV+WRzIFdcVFkqCIG8bdaTkp7XLSZGHGKpCbLad5Fv?=
 =?us-ascii?Q?qVb32J2YZvTWGXerXyIFPPD+MDC0dysSz8XhwL77lT49Ee3SbyRj2FX8izqz?=
 =?us-ascii?Q?gtEfGNAGvsm11qBhX5zmKorQ4SLqJq9ZH+XlTIgsDXrRBeahbR2zi4adDQ9g?=
 =?us-ascii?Q?XvmwcKVk20o9TdqDAPF9po3Z6+KFMgejxEWLefHW7F8QUMERrW+XWUXuE4gZ?=
 =?us-ascii?Q?57wwKFExNZeSirP+4o4dQ854D81zP8mKHfgpKOHgnVyUKK8zj/zHKEuj+0BD?=
 =?us-ascii?Q?t7WAY8PAd+146qRX6OS5fwcKrHX41UGO85NtiQ7Bl6AxlXCRhziAhD39hb4b?=
 =?us-ascii?Q?vA9hnuKwbQLhRb92LcmYjKNV2Dpxv1KFcKVSXxZ4zThcvcwR5UoSNOcftAQx?=
 =?us-ascii?Q?VbtpCj4un8McR84Oi58iO0zDR3lS0iwpW/Lvc1s5l6N4MZZqvYtGCTq70qD+?=
 =?us-ascii?Q?Zoqj04PW/v2YO5HxdHFNqDBw1kuX/YRsGCXWCvX/qriG9HD9VJk1Rce92vO3?=
 =?us-ascii?Q?/jCAdR8sMHy+30yC+D5aoQvldoZxEtNvIiDFfwmoiB2Xfst7NpDz9SdtiulZ?=
 =?us-ascii?Q?i1jhwWHS+DDiD30iY88MpvT7oPoxkG4dKmHpdEEpQmuthkIr4eaj0u21ZAk8?=
 =?us-ascii?Q?JpnPcm52au8Vb7DxaprcQgGnemkTnTKjlZYIPHqZYdnh+3ybiT/QleIi65rG?=
 =?us-ascii?Q?mPXFi/dIU1ecXWBI3pdhqZeSNAh201Zd+CpjCGPsBj+RwZ4r3idwRZe32f9z?=
 =?us-ascii?Q?IHsw7UUOivzzzCyBUKoq3KSvQckrn6+L7nVNd9dH4SNtzHviIy8rZMdeoKEU?=
 =?us-ascii?Q?4JMKqPLbEAR+21Z/pgZpDDyHVwVm?=
X-OriginatorOrg: sct-15-20-9412-4-msonline-outlook-feddd.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 96ae05ed-9cc9-488b-02b2-08deb2e9d9fa
X-MS-Exchange-CrossTenant-AuthSource: SY7PR01MB10921.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 May 2026 01:24:21.2648
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY9PR01MB10818
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: 
 <https://www.postgresql.org/message-id/SY7PR01MB1092112D26F767633CF783E88B6052%40SY7PR01MB10921.ausprd01.prod.outlook.com>
Precedence: bulk

On Fri, 15 May 2026 at 01:29, PG Bug reporting form <noreply@postgresql.org> wrote:
> The following bug has been logged on the website:
>
> Bug reference:      19478
> Logged by:          Man Zeng
> Email address:      zengman@halodbtech.com
> PostgreSQL version: 18.4
> Operating system:   24.04.1-Ubuntu
> Description:        
>
> Hi all,
>
> I think we can impose stricter restrictions on the parameters of
> `dblink_close`.
> For example, when calling `dblink_close`, certain operations can be achieved
> through SQL concatenation,
> which I believe is unexpected behavior.
>
> ```sql
> postgres@zxm-VMware-Virtual-Platform:~/Z-Xiao-M$ psql
> psql (19devel)
> Type "help" for help.
>
> postgres=# \c test
> You are now connected to database "test" as user "postgres".
> test=# CREATE EXTENSION IF NOT EXISTS dblink;
> CREATE EXTENSION
> test=# SELECT dblink_connect('c', 'dbname=' || current_database());
>  dblink_connect
> ----------------
>  OK
> (1 row)
>
> test=# SELECT dblink_open('c', 'cur', 'SELECT 1');
>  dblink_open
> -------------
>  OK
> (1 row)
>
> test=# -- CLOSE: CREATE TABLE
> test=# SELECT dblink_close('c', 'cur; CREATE TABLE hacked(id int); --');
>  dblink_close
> --------------
>  OK
> (1 row)
>
> test=# \d+ hacked
>                                          Table "public.hacked"
>  Column |  Type   | Collation | Nullable | Default | Storage | Compression |
> Stats target | Description
> --------+---------+-----------+----------+---------+---------+-------------+--------------+-------------
>  id     | integer |           |          |         | plain   |             |
> |
> Access method: heap
>
> test=# SELECT dblink_disconnect('c');
>  dblink_disconnect
> -------------------
>  OK
> (1 row)
>
> test=# SELECT dblink_connect('c', 'dbname=' || current_database());
>  dblink_connect
> ----------------
>  OK
> (1 row)
>
> test=# SELECT dblink_open('c', 'cur', 'SELECT 1');
>  dblink_open
> -------------
>  OK
> (1 row)
>
> test=# -- CLOSE: DROP TABLE
> test=# SELECT dblink_close('c', 'cur; DROP TABLE hacked; --');
>  dblink_close
> --------------
>  OK
> (1 row)
>
> test=# \d+ hacked
> Did not find any relation named "hacked".
> test=#
> ```
>
> This is my SQL for reproducing the problem.
> ```sql
> CREATE EXTENSION IF NOT EXISTS dblink;
>
> SELECT dblink_connect('c', 'dbname=' || current_database());
> SELECT dblink_open('c', 'cur', 'SELECT 1');
>
>  -- CLOSE: CREATE TABLE
> SELECT dblink_close('c', 'cur; CREATE TABLE hacked(id int); --');
>
> SELECT dblink_disconnect('c');
> \d+ hacked
>
> SELECT dblink_connect('c', 'dbname=' || current_database());
> SELECT dblink_open('c', 'cur', 'SELECT 1');
>
>  -- CLOSE: DROP TABLE
> SELECT dblink_close('c', 'cur; DROP TABLE hacked; --');
>
> \d+ hacked
> SELECT dblink_disconnect('c');
> ```
>
> The solution to this problem is also very simple.
> ```
> postgres@zxm-VMware-Virtual-Platform:~/code/postgres/contrib$ git diff
> diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c
> index 9798cb535bc..0a9334aa160 100644
> --- a/contrib/dblink/dblink.c
> +++ b/contrib/dblink/dblink.c
> @@ -543,7 +543,7 @@ dblink_close(PG_FUNCTION_ARGS)
>  
>         conn = rconn->conn;
>  
> -       appendStringInfo(&buf, "CLOSE %s", curname);
> +       appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
>  
>         /* close the cursor */
>         res = libpqsrv_exec(conn, buf.data, dblink_we_get_result);
> ```
>
> This is the feedback from the security team.
> ```
> Thanks for your report.  We consider dblink_close() to be caller-trusted,
> and thus this is not considered a security vulnerability.  Feel free to
> resubmit to pgsql-bugs@lists.postgresql.org.
> ```
>
> Any thought?

According to the documentation [1], it should be a cursor name.  Wrapping it
in quotes can prevent attacks like SQL injection.  I think your modification
is correct, and we should add test cases for it.

[1] https://www.postgresql.org/docs/current/contrib-dblink-close.html

> --
> regards,
> Man Zeng

-- 
Regards,
Japin Li
ChengDu WenWu Information Technology Co., Ltd.