ACL identifier quoting has some issues

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: pgsql-hackers@lists.postgresql.org
Cc: Peter Eisentraut <peter@eisentraut.org>
Date: 2025-07-02T21:36:12Z
Lists: pgsql-hackers

Attachments

Peter pointed out at [1] that acl.c's getid() behaves oddly
when presented with a string of just two double quotes ("").
If that has any sane interpretation it's as an empty string,
but what you got was a single double quote.

While looking at this I realized that there's another problem:
if the string contains any non-ASCII characters then we will
blindly apply isalnum() to byte(s) with the high bit set,
which will have encoding-dependent, locale-dependent,
and perhaps platform-dependent results.  This could easily
result in putid() electing not to quote some string that,
later in some other environment, getid() will decide is not
a valid identifier, causing dump/reload or similar failures.

So I think we need to apply and back-patch something like
the attached.  Here I've opined that any non-ASCII is safe.
We could invert that and decide that any non-ASCII is unsafe,
but that seems more likely to break existing dumps than this
choice is.

			regards, tom lane

[1] https://www.postgresql.org/message-id/ee96443a-72f3-4a12-8ba7-326069fd1c14%40eisentraut.org

Commits

  1. Fix inconsistent quoting of role names in ACLs.