git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Nathan Bossart <nathan@postgresql.org>
	Mon, 8 Jun 2026 15:33:52 +0000 (10:33 -0500)
committer	Nathan Bossart <nathan@postgresql.org>
	Mon, 8 Jun 2026 15:33:52 +0000 (10:33 -0500)
commit	1541d91d1ccad2f1ac735574fabbacebf9ecbfa5
tree	41e9106496cd590a8d3bdff23b6f615fc1f18884	tree \| snapshot
parent	f58623faa856cfac67f1ff54b951f82f81fa1f59	commit \| diff

doc: Expand on proper use of refint.

The security team has received a couple of reports about potential
SQL injection via refint's trigger arguments.  We discussed this
while preparing CVE-2026-6637 and concluded that forcibly quoting
these arguments is more likely to break working code than to
prevent exploits.  Unlike data values, the table/column names come
from trigger arguments, and there is little reason for a trigger
author to put hostile inputs into those arguments.  So, let's
document it accordingly.

Reported-by: Nikolay Samokhvalov <nik@postgres.ai>
Reported-by: Alex Young <alex000young@gmail.com>
Reported-by: Satyanarayana Narlapuram <satyanarlapuram@gmail.com>
Suggested-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Fujii Masao <masao.fujii@oss.nttdata.com>
Reviewed-by: Christoph Berg <myon@debian.org>
Reviewed-by: Satyanarayana Narlapuram <satyanarlapuram@gmail.com>
Discussion: https://postgr.es/m/ahXP7z7nsfGPOZ3T%40nathan
Backpatch-through: 14