Re: BUG #19478: `dblink_close` can be used for injection.

Japin Li <japinli@hotmail.com>

From: Japin Li <japinli@hotmail.com>
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Kirill Reshke <reshkekirill@gmail.com>, PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>, zengman <zengman@halodbtech.com>
Date: 2026-05-18T03:10:04Z
Lists: pgsql-bugs
On Fri, 15 May 2026 at 21:28, "David G. Johnston" <david.g.johnston@gmail.com> wrote:
> On Friday, May 15, 2026, Kirill Reshke <reshkekirill@gmail.com> wrote:
>
>  On Sat, 16 May 2026, 06:24 Japin Li, <japinli@hotmail.com> wrote:
>
>  On Fri, 15 May 2026 at 01:29, PG Bug reporting form <noreply@postgresql.org> wrote:
>  > The following bug has been logged on the website:
>  >
>  > Bug reference:      19478
>  > Logged by:          Man Zeng
>  > Email address:      zengman@halodbtech.com
>  > PostgreSQL version: 18.4
>  > Operating system:   24.04.1-Ubuntu
>  > Description:        
>  >
>  >
>  >  
>  > -       appendStringInfo(&buf, "CLOSE %s", curname);
>  > +       appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
>  >  
>
>  According to the documentation [1], it should be a cursor name.  Wrapping it
>  in quotes can prevent attacks like SQL injection.  I think your modification
>  is correct, and we should add test cases for it.
>
>  [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>   
>
>  Well, is there any actual injection? I mean, if user can execute dblink_close, then user can do an SQL with
>  dblink_open and simply do a SQL? Unless wierd case when we only granted with close function, I guess
>
I think this is similar to SQL injection. However, no actual injection happened.

> Switching to quote_ident means we no longer lowercase an unquoted input. Is this improvement in api design worth the
> potential breakage?  If so, make sure we at least change the dblink_open (and fetch…) code similarly.
>
> I’m disinclined to change this unless it’s shown the only possible use of the identifier is within the dblink function
> arguments where can change all uses to quote_identifier.  Even then, inconsistent capitalization still might exist.
>

I don't think the current implementation is acceptable.  Could we restrict the
cursor name to an identifier characters?

> David J.

-- 
Regards,
Japin Li
ChengDu WenWu Information Technology Co., Ltd.