Thread
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
doc: Expand on proper use of refint.
- c0392783c541 17 (unreleased) landed
- be176e0a6d38 18 (unreleased) landed
- 673161b63e24 14 (unreleased) landed
- 668ecfda7250 15 (unreleased) landed
- 4b328ebfa85a 16 (unreleased) landed
- 1541d91d1cca 19 (unreleased) landed
-
expand refint docs with usage info
Nathan Bossart <nathandbossart@gmail.com> — 2026-05-26T16:53:03Z
The security team has received a couple of reports about potential SQL injection opportunities via refint's trigger arguments. We discussed this while preparing CVE-2026-6637 and concluded that forcibly quoting these arguments would be much more likely to break working code than to prevent any exploits. Unlike data values, the table/column names come from trigger arguments, and there is little reason for a trigger author to put hostile inputs into those arguments. The attached documentation patch was originally intended to go along with CVE-2026-6637, but we ultimately scoped it down to only the security-relevant parts. This should be back-patched to v14. Note that we are preparing to removing refint completely in v20, but IMHO this doc update is still worth doing. Thoughts? -- nathan
-
Re: expand refint docs with usage info
Christoph Berg <myon@debian.org> — 2026-05-26T17:04:30Z
Re: Nathan Bossart > This should be back-patched to v14. Note that we are preparing to > removing refint completely in v20, but IMHO this doc update is still > worth doing. I suggest mentioning the deprecation in the same place. Christoph
-
Re: expand refint docs with usage info
SATYANARAYANA NARLAPURAM <satyanarlapuram@gmail.com> — 2026-05-26T17:34:54Z
Hi, On Tue, May 26, 2026 at 9:53 AM Nathan Bossart <nathandbossart@gmail.com> wrote: > The security team has received a couple of reports about potential SQL > injection opportunities via refint's trigger arguments. We discussed this > while preparing CVE-2026-6637 and concluded that forcibly quoting these > arguments would be much more likely to break working code than to prevent > any exploits. Unlike data values, the table/column names come from trigger > arguments, and there is little reason for a trigger author to put hostile > inputs into those arguments. > > The attached documentation patch was originally intended to go along with > CVE-2026-6637, but we ultimately scoped it down to only the > security-relevant parts. This should be back-patched to v14. Note that we > are preparing to removing refint completely in v20, but IMHO this doc > update is still worth doing. > > Thoughts? > LGTM. Thanks, Satya
-
Re: expand refint docs with usage info
Nathan Bossart <nathandbossart@gmail.com> — 2026-05-26T19:39:26Z
On Tue, May 26, 2026 at 07:04:30PM +0200, Christoph Berg wrote: > Re: Nathan Bossart >> This should be back-patched to v14. Note that we are preparing to >> removing refint completely in v20, but IMHO this doc update is still >> worth doing. > > I suggest mentioning the deprecation in the same place. Agreed, but I'd rather leave that for the removal effort. -- nathan