| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Amjad Shahzad <amjadshahzad2000(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #19510: refint.c: SQL injection via unquoted identifier arguments in check_primary_key and check_foreign_key |
| Date: | 2026-06-05 00:06:16 |
| Message-ID: | 3539886.1780617976@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Amjad Shahzad <amjadshahzad2000(at)gmail(dot)com> writes:
> Patch attached for the issue reported above.
I don't think we can just blindly "quote_identifier" all these
strings. As an example, suppose somebody has set the relname
argument of a trigger to 'myschema.mytable'. Their code works
fine today, and is perfectly secure, and your patch would break it.
Mixed-case identifiers are another trouble spot where quoting
could change the meaning of valid code.
The pgsql-security team already discussed these issues while preparing
the recent CVEs in this area, and concluded that the only workable
path forward is to add documentation explaining that these arguments
are handled as fragments of SQL query text. So any required quoting
is up to the calling application. Fortunately, trigger arguments are
not the sort of thing that's likely to be taken blindly from untrusted
input.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amjad Shahzad | 2026-06-05 00:29:16 | Re: BUG #19510: refint.c: SQL injection via unquoted identifier arguments in check_primary_key and check_foreign_key |
| Previous Message | Amjad Shahzad | 2026-06-04 23:50:52 | Re: BUG #19510: refint.c: SQL injection via unquoted identifier arguments in check_primary_key and check_foreign_key |