Re: BUG #19510: refint.c: SQL injection via unquoted identifier arguments in check_primary_key and check_foreign_key

Hi Tom,

Thank you for the detailed review and for explaining the security team's
earlier discussion.

You're absolutely right, I missed the schema-qualified name case.
quote_identifier('myschema.mytable') would produce "myschema.mytable"
treating the dot as part of the identifier, which would silently break
existing valid triggers. That's a real regression, and I withdrew the patch.

Understood that the security team's position is documentation rather than a
code fix given these constraints. Thanks again for taking the
time to explain the reasoning.

Regards,
Amjad

On Fri, Jun 5, 2026 at 5:06 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Amjad Shahzad <amjadshahzad2000(at)gmail(dot)com> writes:
> > Patch attached for the issue reported above.
>
> I don't think we can just blindly "quote_identifier" all these
> strings. As an example, suppose somebody has set the relname
> argument of a trigger to 'myschema.mytable'. Their code works
> fine today, and is perfectly secure, and your patch would break it.
> Mixed-case identifiers are another trouble spot where quoting
> could change the meaning of valid code.
>
> The pgsql-security team already discussed these issues while preparing
> the recent CVEs in this area, and concluded that the only workable
> path forward is to add documentation explaining that these arguments
> are handled as fragments of SQL query text. So any required quoting
> is up to the calling application. Fortunately, trigger arguments are
> not the sort of thing that's likely to be taken blindly from untrusted
> input.
>
> regards, tom lane
>