Re: BUG #19478: `dblink_close` can be used for injection.

On Friday, May 15, 2026, Kirill Reshke <reshkekirill(at)gmail(dot)com> wrote:

>
>
> On Sat, 16 May 2026, 06:24 Japin Li, <japinli(at)hotmail(dot)com> wrote:
>
>> On Fri, 15 May 2026 at 01:29, PG Bug reporting form <
>> noreply(at)postgresql(dot)org> wrote:
>> > The following bug has been logged on the website:
>> >
>> > Bug reference: 19478
>> > Logged by: Man Zeng
>> > Email address: zengman(at)halodbtech(dot)com
>> > PostgreSQL version: 18.4
>> > Operating system: 24.04.1-Ubuntu
>> > Description:
>> >
>> >
>> >
>> > - appendStringInfo(&buf, "CLOSE %s", curname);
>> > + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
>> >
>>
>>
>> According to the documentation [1], it should be a cursor name. Wrapping
>> it
>> in quotes can prevent attacks like SQL injection. I think your
>> modification
>> is correct, and we should add test cases for it.
>>
>> [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>>
>
> Well, is there any actual injection? I mean, if user can execute
>> dblink_close, then user can do an SQL with dblink_open and simply do a SQL?
>> Unless wierd case when we only granted with close function, I guess
>>
>
Switching to quote_ident means we no longer lowercase an unquoted input.
Is this improvement in api design worth the potential breakage? If so,
make sure we at least change the dblink_open (and fetch…) code similarly.

I’m disinclined to change this unless it’s shown the only possible use of
the identifier is within the dblink function arguments where can change all
uses to quote_identifier. Even then, inconsistent capitalization still
might exist.

David J.