Re: BUG #19478: `dblink_close` can be used for injection.
David G. Johnston <david.g.johnston@gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Kirill Reshke <reshkekirill@gmail.com>
Cc: Japin Li <japinli@hotmail.com>, PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>,
zengman <zengman@halodbtech.com>
Date: 2026-05-16T04:28:56Z
Lists: pgsql-bugs
On Friday, May 15, 2026, Kirill Reshke <reshkekirill@gmail.com> wrote: > > > On Sat, 16 May 2026, 06:24 Japin Li, <japinli@hotmail.com> wrote: > >> On Fri, 15 May 2026 at 01:29, PG Bug reporting form < >> noreply@postgresql.org> wrote: >> > The following bug has been logged on the website: >> > >> > Bug reference: 19478 >> > Logged by: Man Zeng >> > Email address: zengman@halodbtech.com >> > PostgreSQL version: 18.4 >> > Operating system: 24.04.1-Ubuntu >> > Description: >> > >> > >> > >> > - appendStringInfo(&buf, "CLOSE %s", curname); >> > + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname)); >> > >> >> >> According to the documentation [1], it should be a cursor name. Wrapping >> it >> in quotes can prevent attacks like SQL injection. I think your >> modification >> is correct, and we should add test cases for it. >> >> [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html >> > > Well, is there any actual injection? I mean, if user can execute >> dblink_close, then user can do an SQL with dblink_open and simply do a SQL? >> Unless wierd case when we only granted with close function, I guess >> > Switching to quote_ident means we no longer lowercase an unquoted input. Is this improvement in api design worth the potential breakage? If so, make sure we at least change the dblink_open (and fetch…) code similarly. I’m disinclined to change this unless it’s shown the only possible use of the identifier is within the dblink function arguments where can change all uses to quote_identifier. Even then, inconsistent capitalization still might exist. David J.