]> git.ipfire.org Git - thirdparty/postgresql.git/commit
doc: Expand on proper use of refint.
authorNathan Bossart <nathan@postgresql.org>
Mon, 8 Jun 2026 15:33:52 +0000 (10:33 -0500)
committerNathan Bossart <nathan@postgresql.org>
Mon, 8 Jun 2026 15:33:52 +0000 (10:33 -0500)
commit668ecfda7250995b8ff4c8a59c3f6371b0efe2a2
tree2a39d891e067f061d22fd65368ea19d38efea083
parentbfeddcf09b684ddb83895f7daaf1e28630718463
doc: Expand on proper use of refint.

The security team has received a couple of reports about potential
SQL injection via refint's trigger arguments.  We discussed this
while preparing CVE-2026-6637 and concluded that forcibly quoting
these arguments is more likely to break working code than to
prevent exploits.  Unlike data values, the table/column names come
from trigger arguments, and there is little reason for a trigger
author to put hostile inputs into those arguments.  So, let's
document it accordingly.

Reported-by: Nikolay Samokhvalov <nik@postgres.ai>
Reported-by: Alex Young <alex000young@gmail.com>
Reported-by: Satyanarayana Narlapuram <satyanarlapuram@gmail.com>
Suggested-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Fujii Masao <masao.fujii@oss.nttdata.com>
Reviewed-by: Christoph Berg <myon@debian.org>
Reviewed-by: Satyanarayana Narlapuram <satyanarlapuram@gmail.com>
Discussion: https://postgr.es/m/ahXP7z7nsfGPOZ3T%40nathan
Backpatch-through: 14
doc/src/sgml/contrib-spi.sgml