Re: BUG #19478: `dblink_close` can be used for injection.
Japin Li <japinli@hotmail.com>
From: Japin Li <japinli@hotmail.com>
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Kirill Reshke <reshkekirill@gmail.com>, PostgreSQL mailing lists
<pgsql-bugs@lists.postgresql.org>, zengman <zengman@halodbtech.com>
Date: 2026-05-18T03:10:04Z
Lists: pgsql-bugs
On Fri, 15 May 2026 at 21:28, "David G. Johnston" <david.g.johnston@gmail.com> wrote: > On Friday, May 15, 2026, Kirill Reshke <reshkekirill@gmail.com> wrote: > > On Sat, 16 May 2026, 06:24 Japin Li, <japinli@hotmail.com> wrote: > > On Fri, 15 May 2026 at 01:29, PG Bug reporting form <noreply@postgresql.org> wrote: > > The following bug has been logged on the website: > > > > Bug reference: 19478 > > Logged by: Man Zeng > > Email address: zengman@halodbtech.com > > PostgreSQL version: 18.4 > > Operating system: 24.04.1-Ubuntu > > Description: > > > > > > > > - appendStringInfo(&buf, "CLOSE %s", curname); > > + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname)); > > > > According to the documentation [1], it should be a cursor name. Wrapping it > in quotes can prevent attacks like SQL injection. I think your modification > is correct, and we should add test cases for it. > > [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html > > > Well, is there any actual injection? I mean, if user can execute dblink_close, then user can do an SQL with > dblink_open and simply do a SQL? Unless wierd case when we only granted with close function, I guess > I think this is similar to SQL injection. However, no actual injection happened. > Switching to quote_ident means we no longer lowercase an unquoted input. Is this improvement in api design worth the > potential breakage? If so, make sure we at least change the dblink_open (and fetch…) code similarly. > > I’m disinclined to change this unless it’s shown the only possible use of the identifier is within the dblink function > arguments where can change all uses to quote_identifier. Even then, inconsistent capitalization still might exist. > I don't think the current implementation is acceptable. Could we restrict the cursor name to an identifier characters? > David J. -- Regards, Japin Li ChengDu WenWu Information Technology Co., Ltd.