Thread

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. doc: Expand on proper use of refint.

  1. expand refint docs with usage info

    Nathan Bossart <nathandbossart@gmail.com> — 2026-05-26T16:53:03Z

    The security team has received a couple of reports about potential SQL
    injection opportunities via refint's trigger arguments.  We discussed this
    while preparing CVE-2026-6637 and concluded that forcibly quoting these
    arguments would be much more likely to break working code than to prevent
    any exploits.  Unlike data values, the table/column names come from trigger
    arguments, and there is little reason for a trigger author to put hostile
    inputs into those arguments.
    
    The attached documentation patch was originally intended to go along with
    CVE-2026-6637, but we ultimately scoped it down to only the
    security-relevant parts.  This should be back-patched to v14.  Note that we
    are preparing to removing refint completely in v20, but IMHO this doc
    update is still worth doing.
    
    Thoughts?
    
    -- 
    nathan
    
  2. Re: expand refint docs with usage info

    Christoph Berg <myon@debian.org> — 2026-05-26T17:04:30Z

    Re: Nathan Bossart
    > This should be back-patched to v14.  Note that we are preparing to
    > removing refint completely in v20, but IMHO this doc update is still
    > worth doing.
    
    I suggest mentioning the deprecation in the same place.
    
    Christoph
    
    
    
    
  3. Re: expand refint docs with usage info

    SATYANARAYANA NARLAPURAM <satyanarlapuram@gmail.com> — 2026-05-26T17:34:54Z

    Hi,
    
    On Tue, May 26, 2026 at 9:53 AM Nathan Bossart <nathandbossart@gmail.com>
    wrote:
    
    > The security team has received a couple of reports about potential SQL
    > injection opportunities via refint's trigger arguments.  We discussed this
    > while preparing CVE-2026-6637 and concluded that forcibly quoting these
    > arguments would be much more likely to break working code than to prevent
    > any exploits.  Unlike data values, the table/column names come from trigger
    > arguments, and there is little reason for a trigger author to put hostile
    > inputs into those arguments.
    >
    > The attached documentation patch was originally intended to go along with
    > CVE-2026-6637, but we ultimately scoped it down to only the
    > security-relevant parts.  This should be back-patched to v14.  Note that we
    > are preparing to removing refint completely in v20, but IMHO this doc
    > update is still worth doing.
    >
    > Thoughts?
    >
    
    LGTM.
    
    Thanks,
    Satya
    
  4. Re: expand refint docs with usage info

    Nathan Bossart <nathandbossart@gmail.com> — 2026-05-26T19:39:26Z

    On Tue, May 26, 2026 at 07:04:30PM +0200, Christoph Berg wrote:
    > Re: Nathan Bossart
    >> This should be back-patched to v14.  Note that we are preparing to
    >> removing refint completely in v20, but IMHO this doc update is still
    >> worth doing.
    > 
    > I suggest mentioning the deprecation in the same place.
    
    Agreed, but I'd rather leave that for the removal effort.
    
    -- 
    nathan