ACL identifier quoting has some issues
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: pgsql-hackers@lists.postgresql.org
Cc: Peter Eisentraut <peter@eisentraut.org>
Date: 2025-07-02T21:36:12Z
Lists: pgsql-hackers
Attachments
- fix-ACL-quoting-logic.patch (text/x-diff) patch
Peter pointed out at [1] that acl.c's getid() behaves oddly
when presented with a string of just two double quotes ("").
If that has any sane interpretation it's as an empty string,
but what you got was a single double quote.
While looking at this I realized that there's another problem:
if the string contains any non-ASCII characters then we will
blindly apply isalnum() to byte(s) with the high bit set,
which will have encoding-dependent, locale-dependent,
and perhaps platform-dependent results. This could easily
result in putid() electing not to quote some string that,
later in some other environment, getid() will decide is not
a valid identifier, causing dump/reload or similar failures.
So I think we need to apply and back-patch something like
the attached. Here I've opined that any non-ASCII is safe.
We could invert that and decide that any non-ASCII is unsafe,
but that seems more likely to break existing dumps than this
choice is.
regards, tom lane
[1] https://www.postgresql.org/message-id/ee96443a-72f3-4a12-8ba7-326069fd1c14%40eisentraut.org
Commits
-
Fix inconsistent quoting of role names in ACLs.
- de73cb3ed6cc 15.14 landed
- ccacaf4fae24 18.0 landed
- ac8cdb2495d5 14.19 landed
- 64840e46243a 19 (unreleased) landed
- 53a936b61f12 16.10 landed
- 50959f96e7b1 17.6 landed
- 093d3d74576e 13.22 landed