Re: BUG #19478: `dblink_close` can be used for injection.

On Fri, 15 May 2026 at 21:28, "David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
> On Friday, May 15, 2026, Kirill Reshke <reshkekirill(at)gmail(dot)com> wrote:
>
> On Sat, 16 May 2026, 06:24 Japin Li, <japinli(at)hotmail(dot)com> wrote:
>
> On Fri, 15 May 2026 at 01:29, PG Bug reporting form <noreply(at)postgresql(dot)org> wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 19478
> > Logged by: Man Zeng
> > Email address: zengman(at)halodbtech(dot)com
> > PostgreSQL version: 18.4
> > Operating system: 24.04.1-Ubuntu
> > Description:
> >
> >
> >
> > - appendStringInfo(&buf, "CLOSE %s", curname);
> > + appendStringInfo(&buf, "CLOSE %s", quote_ident_cstr(curname));
> >
>
> According to the documentation [1], it should be a cursor name. Wrapping it
> in quotes can prevent attacks like SQL injection. I think your modification
> is correct, and we should add test cases for it.
>
> [1] https://www.postgresql.org/docs/current/contrib-dblink-close.html
>
>
> Well, is there any actual injection? I mean, if user can execute dblink_close, then user can do an SQL with
> dblink_open and simply do a SQL? Unless wierd case when we only granted with close function, I guess
>
I think this is similar to SQL injection. However, no actual injection happened.

> Switching to quote_ident means we no longer lowercase an unquoted input. Is this improvement in api design worth the
> potential breakage? If so, make sure we at least change the dblink_open (and fetch…) code similarly.
>
> I’m disinclined to change this unless it’s shown the only possible use of the identifier is within the dblink function
> arguments where can change all uses to quote_identifier. Even then, inconsistent capitalization still might exist.
>

I don't think the current implementation is acceptable. Could we restrict the
cursor name to an identifier characters?

> David J.

--
Regards,
Japin Li
ChengDu WenWu Information Technology Co., Ltd.