Thread
-
expand refint docs with usage info
Nathan Bossart <nathandbossart@gmail.com> — 2026-05-26T16:53:03Z
The security team has received a couple of reports about potential SQL injection opportunities via refint's trigger arguments. We discussed this while preparing CVE-2026-6637 and concluded that forcibly quoting these arguments would be much more likely to break working code than to prevent any exploits. Unlike data values, the table/column names come from trigger arguments, and there is little reason for a trigger author to put hostile inputs into those arguments. The attached documentation patch was originally intended to go along with CVE-2026-6637, but we ultimately scoped it down to only the security-relevant parts. This should be back-patched to v14. Note that we are preparing to removing refint completely in v20, but IMHO this doc update is still worth doing. Thoughts? -- nathan