| From: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | expand refint docs with usage info |
| Date: | 2026-05-26 16:53:03 |
| Message-ID: | ahXP7z7nsfGPOZ3T@nathan |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
The security team has received a couple of reports about potential SQL
injection opportunities via refint's trigger arguments. We discussed this
while preparing CVE-2026-6637 and concluded that forcibly quoting these
arguments would be much more likely to break working code than to prevent
any exploits. Unlike data values, the table/column names come from trigger
arguments, and there is little reason for a trigger author to put hostile
inputs into those arguments.
The attached documentation patch was originally intended to go along with
CVE-2026-6637, but we ultimately scoped it down to only the
security-relevant parts. This should be back-patched to v14. Note that we
are preparing to removing refint completely in v20, but IMHO this doc
update is still worth doing.
Thoughts?
--
nathan
| Attachment | Content-Type | Size |
|---|---|---|
| v1-0001-expand-refint-docs-with-usage-info.patch | text/plain | 4.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christoph Berg | 2026-05-26 16:53:31 | Re: future of PQfn() |
| Previous Message | Amit Kapila | 2026-05-26 16:40:19 | Re: Bound memory usage during manual slot sync retries |