Thanks Álvaro, Tom and Nathan for the review. On Mon, 2 Feb 2026 at 16:46, Álvaro Herrera <[email protected]> wrote: > > > > +void > > +reject_newline_in_name(const char *objname, const char *objtype) > > +{ > > + /* Report error if name has \n or \r character. */ > > + if (strpbrk(objname, "\n\r")) > > + ereport(ERROR, > > + (errcode(ERRCODE_INVALID_PARAMETER_VALUE)), > > + errmsg("\"%s\" name \"%s\" contains a newline > > or carriage return character",objtype, objname)); > > +} > > I think this error message doesn't work very well. Having the > "database" word be an untranslatable piece of the message makes no sense > to me. I would rather have the ereport() in each place where this is > needed so that we can have a complete phrase to translate, and avoid > this wrinkle. Alternatively you could pass the error message from the > caller (to abstract away the strpbrk() call) but I'm not sure that's > really all that useful.
Fixed. > > BTW, looking at generate_db in src/bin/pg_upgrade/t/002_pg_upgrade.pl I > wonder why don't we reject BEL here also. (Or actually, maybe not, but > I think commit 322becb6085c was wrong to lose the part of the comment > that explained the reason.) > > > --- a/src/bin/scripts/t/020_createdb.pl > > +++ b/src/bin/scripts/t/020_createdb.pl > > @@ -241,6 +241,18 @@ $node->command_fails( > > ], > > 'fails for invalid locale provider'); > > > > +$node->command_fails_like( > > + [ 'createdb', "invalid \n dbname" ], > > + qr(contains a newline or carriage return character), > > + 'fails if database name containing newline character in name' > > +); > > + > > +$node->command_fails_like( > > + [ 'createdb', "invalid \r dbname" ], > > + qr(contains a newline or carriage return character),, > > + 'fails if database name containing carriage return character in name' > > +); > > Note there are two commas the the qr() line in the second stanza. Seems > to be innocuous, because the test log shows Fixed. > > # Running: createdb invalid > dbname > [11:57:00.942](0.012s) ok 34 - fails if database name containing newline > character in name: exit code not 0 > [11:57:00.942](0.000s) ok 35 - fails if database name containing newline > character in name: matches > # Running: createdb invalid ^M dbname > [11:57:00.953](0.011s) ok 36 - fails if database name containing carriage > return character in name: exit code not 0 > [11:57:00.954](0.000s) ok 37 - fails if database name containing carriage > return character in name: matches > > but it'd look nicer without those commas. Also, the "fails if ... > containing" test names sound ungrammatical to me. Fixed. > > -- > Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/ > "Always assume the user will do much worse than the stupidest thing > you can imagine." (Julien PUYDT) Based on suggestions, I removed the new added function and changed the error message and added a check for tablespace also. Here, I am attaching updated patches. -- Thanks and Regards Mahendra Singh Thalor EnterpriseDB: http://www.enterprisedb.com
From 29c2da33a521094d9969d2cacd3ef4152f5da933 Mon Sep 17 00:00:00 2001 From: Mahendra Singh Thalor <[email protected]> Date: Wed, 4 Feb 2026 00:12:48 +0530 Subject: [PATCH 1/2] don't allow newline or carriage return character in name for database/user/role/tablespace While creating database, if database name has any newline or carriage return character in name, then through error becuase these special character are not allowed in dbname when dump command is executed. do same for "CREATE ROLE", "CREATE USER" also. This will add check for: "CREATE DATABASE", "CREATE ROLE", "CREATE USER", "CREATE TABLESPACE" "RENAME DATABASE/USER/ROLE/TABLESPACE" ------------------------- As we will not allow these \n\r in names, then we will never get these names in dump also. If we are dumping from older branch, then we will fail with same old error. (dump will fail in older branches so no need to add extra handling for dump.) Also remove comment added by 142c24c23447f212e642a0ffac9af878b93f490d commit. Remove one test of 8b845520fb0aa50fea7aae44a45cee1b6d87845d commit. --- src/backend/commands/dbcommands.c | 12 ++++++++++++ src/backend/commands/tablespace.c | 12 ++++++++++++ src/backend/commands/user.c | 12 ++++++++++++ src/bin/pg_dump/t/010_dump_connstr.pl | 14 -------------- src/bin/scripts/t/020_createdb.pl | 12 ++++++++++++ src/fe_utils/string_utils.c | 6 ------ src/include/commands/defrem.h | 1 + .../unsafe_tests/expected/alter_system_table.out | 5 +++++ .../modules/unsafe_tests/expected/rolenames.out | 4 ++++ .../unsafe_tests/sql/alter_system_table.sql | 4 ++++ src/test/modules/unsafe_tests/sql/rolenames.sql | 2 ++ src/test/regress/expected/tablespace.out | 5 +++++ src/test/regress/sql/tablespace.sql | 4 ++++ 13 files changed, 73 insertions(+), 20 deletions(-) mode change 100644 => 100755 src/bin/pg_dump/t/010_dump_connstr.pl mode change 100644 => 100755 src/bin/scripts/t/020_createdb.pl diff --git a/src/backend/commands/dbcommands.c b/src/backend/commands/dbcommands.c index 87949054f26..6396d3e7caf 100644 --- a/src/backend/commands/dbcommands.c +++ b/src/backend/commands/dbcommands.c @@ -742,6 +742,12 @@ createdb(ParseState *pstate, const CreatedbStmt *stmt) CreateDBStrategy dbstrategy = CREATEDB_WAL_LOG; createdb_failure_params fparms; + /* Report error if name has \n or \r character. */ + if (strpbrk(dbname, "\n\r")) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE)), + errmsg("database name \"%s\" contains a newline or carriage return character",dbname)); + /* Extract options from the statement node tree */ foreach(option, stmt->options) { @@ -1910,6 +1916,12 @@ RenameDatabase(const char *oldname, const char *newname) int npreparedxacts; ObjectAddress address; + /* Report error if name has \n or \r character. */ + if (strpbrk(newname, "\n\r")) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE)), + errmsg("database name \"%s\" contains a newline or carriage return character",newname)); + /* * Look up the target database's OID, and get exclusive lock on it. We * need this for the same reasons as DROP DATABASE. diff --git a/src/backend/commands/tablespace.c b/src/backend/commands/tablespace.c index 0b064891932..f6dba30da55 100644 --- a/src/backend/commands/tablespace.c +++ b/src/backend/commands/tablespace.c @@ -241,6 +241,12 @@ CreateTableSpace(CreateTableSpaceStmt *stmt) (errcode(ERRCODE_INVALID_NAME), errmsg("tablespace location cannot contain single quotes"))); + /* Report error if name has \n or \r character. */ + if (strpbrk(stmt->tablespacename, "\n\r")) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE)), + errmsg("tablespace name \"%s\" contains a newline or carriage return character",stmt->tablespacename)); + in_place = allow_in_place_tablespaces && strlen(location) == 0; /* @@ -970,6 +976,12 @@ RenameTableSpace(const char *oldname, const char *newname) errmsg("unacceptable tablespace name \"%s\"", newname), errdetail("The prefix \"pg_\" is reserved for system tablespaces."))); + /* Report error if name has \n or \r character. */ + if (strpbrk(newname, "\n\r")) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE)), + errmsg("tablespace name \"%s\" contains a newline or carriage return character",newname)); + /* * If built with appropriate switch, whine when regression-testing * conventions for tablespace names are violated. diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index 8fb9ea25db0..5b9d6634e87 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -171,6 +171,12 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt) DefElem *dbypassRLS = NULL; GrantRoleOptions popt; + /* Report error if name has \n or \r character. */ + if (strpbrk(stmt->role, "\n\r")) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE)), + errmsg("role name \"%s\" contains a newline or carriage return character",stmt->role)); + /* The defaults can vary depending on the original statement type */ switch (stmt->stmt_type) { @@ -1348,6 +1354,12 @@ RenameRole(const char *oldname, const char *newname) ObjectAddress address; Form_pg_authid authform; + /* Report error if name has \n or \r character. */ + if (strpbrk(newname, "\n\r")) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE)), + errmsg("role name \"%s\" contains a newline or carriage return character",newname)); + rel = table_open(AuthIdRelationId, RowExclusiveLock); dsc = RelationGetDescr(rel); diff --git a/src/bin/pg_dump/t/010_dump_connstr.pl b/src/bin/pg_dump/t/010_dump_connstr.pl old mode 100644 new mode 100755 index dc7a33658db..bf2c3b6d00b --- a/src/bin/pg_dump/t/010_dump_connstr.pl +++ b/src/bin/pg_dump/t/010_dump_connstr.pl @@ -153,20 +153,6 @@ $node->command_ok( ], 'pg_dumpall --dbname accepts connection string'); -$node->run_log( - [ 'createdb', '--username' => $src_bootstrap_super, "foo\n\rbar" ]); - -# not sufficient to use --roles-only here -$node->command_fails( - [ - 'pg_dumpall', '--no-sync', - '--username' => $src_bootstrap_super, - '--file' => $discard, - ], - 'pg_dumpall with \n\r in database name'); -$node->run_log( - [ 'dropdb', '--username' => $src_bootstrap_super, "foo\n\rbar" ]); - # make a table, so the parallel worker has something to dump $node->safe_psql( diff --git a/src/bin/scripts/t/020_createdb.pl b/src/bin/scripts/t/020_createdb.pl old mode 100644 new mode 100755 index 83b0077383a..a0995868363 --- a/src/bin/scripts/t/020_createdb.pl +++ b/src/bin/scripts/t/020_createdb.pl @@ -241,6 +241,18 @@ $node->command_fails( ], 'fails for invalid locale provider'); +$node->command_fails_like( + [ 'createdb', "invalid \n dbname" ], + qr(contains a newline or carriage return character), + 'fails if database name contains a newline character in name' +); + +$node->command_fails_like( + [ 'createdb', "invalid \r dbname" ], + qr(contains a newline or carriage return character), + 'fails if database name contains a carriage return character in name' +); + # Check use of templates with shared dependencies copied from the template. my ($ret, $stdout, $stderr) = $node->psql( 'foobar2', diff --git a/src/fe_utils/string_utils.c b/src/fe_utils/string_utils.c index 89ce396ed4f..38fffbd036b 100644 --- a/src/fe_utils/string_utils.c +++ b/src/fe_utils/string_utils.c @@ -568,12 +568,6 @@ appendByteaLiteral(PQExpBuffer buf, const unsigned char *str, size_t length, * Append the given string to the shell command being built in the buffer, * with shell-style quoting as needed to create exactly one argument. * - * Forbid LF or CR characters, which have scant practical use beyond designing - * security breaches. The Windows command shell is unusable as a conduit for - * arguments containing LF or CR characters. A future major release should - * reject those characters in CREATE ROLE and CREATE DATABASE, because use - * there eventually leads to errors here. - * * appendShellString() simply prints an error and dies if LF or CR appears. * appendShellStringNoError() omits those characters from the result, and * returns false if there were any. diff --git a/src/include/commands/defrem.h b/src/include/commands/defrem.h index 8f4a2d9bbc1..bd930b8905d 100644 --- a/src/include/commands/defrem.h +++ b/src/include/commands/defrem.h @@ -162,5 +162,6 @@ extern TypeName *defGetTypeName(DefElem *def); extern int defGetTypeLength(DefElem *def); extern List *defGetStringList(DefElem *def); pg_noreturn extern void errorConflictingDefElem(DefElem *defel, ParseState *pstate); +extern void reject_newline_in_name(const char *objname, const char *objtype); #endif /* DEFREM_H */ diff --git a/src/test/modules/unsafe_tests/expected/alter_system_table.out b/src/test/modules/unsafe_tests/expected/alter_system_table.out index b73b9442b8d..39c90ce30a7 100644 --- a/src/test/modules/unsafe_tests/expected/alter_system_table.out +++ b/src/test/modules/unsafe_tests/expected/alter_system_table.out @@ -64,6 +64,11 @@ ERROR: permission denied: "pg_description" is a system catalog CREATE TABLESPACE pg_foo LOCATION '/no/such/location'; ERROR: unacceptable tablespace name "pg_foo" DETAIL: The prefix "pg_" is reserved for system tablespaces. +-- contains \n\r tablespace name +CREATE TABLESPACE "inavlid +name" LOCATION '/no/such/location'; +ERROR: tablespace name "inavlid +name" contains a newline or carriage return character -- triggers CREATE FUNCTION tf1() RETURNS trigger LANGUAGE plpgsql diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out index 61396b2a805..9dfb8475e16 100644 --- a/src/test/modules/unsafe_tests/expected/rolenames.out +++ b/src/test/modules/unsafe_tests/expected/rolenames.out @@ -102,6 +102,10 @@ DETAIL: Role names starting with "pg_" are reserved. CREATE ROLE "pg_abcdef"; -- error ERROR: role name "pg_abcdef" is reserved DETAIL: Role names starting with "pg_" are reserved. +CREATE ROLE "invalid +rolename"; -- error +ERROR: role name "invalid +rolename" contains a newline or carriage return character CREATE ROLE regress_testrol0 SUPERUSER LOGIN; CREATE ROLE regress_testrolx SUPERUSER LOGIN; CREATE ROLE regress_testrol2 SUPERUSER; diff --git a/src/test/modules/unsafe_tests/sql/alter_system_table.sql b/src/test/modules/unsafe_tests/sql/alter_system_table.sql index c1515100845..9812115a6f0 100644 --- a/src/test/modules/unsafe_tests/sql/alter_system_table.sql +++ b/src/test/modules/unsafe_tests/sql/alter_system_table.sql @@ -64,6 +64,10 @@ ALTER TABLE pg_description SET SCHEMA public; -- reserved tablespace name CREATE TABLESPACE pg_foo LOCATION '/no/such/location'; +-- contains \n\r tablespace name +CREATE TABLESPACE "inavlid +name" LOCATION '/no/such/location'; + -- triggers CREATE FUNCTION tf1() RETURNS trigger LANGUAGE plpgsql diff --git a/src/test/modules/unsafe_tests/sql/rolenames.sql b/src/test/modules/unsafe_tests/sql/rolenames.sql index adac36536db..70b342abeb6 100644 --- a/src/test/modules/unsafe_tests/sql/rolenames.sql +++ b/src/test/modules/unsafe_tests/sql/rolenames.sql @@ -75,6 +75,8 @@ CREATE ROLE pg_abc; -- error CREATE ROLE "pg_abc"; -- error CREATE ROLE pg_abcdef; -- error CREATE ROLE "pg_abcdef"; -- error +CREATE ROLE "invalid +rolename"; -- error CREATE ROLE regress_testrol0 SUPERUSER LOGIN; CREATE ROLE regress_testrolx SUPERUSER LOGIN; diff --git a/src/test/regress/expected/tablespace.out b/src/test/regress/expected/tablespace.out index a90e39e5738..185880a3217 100644 --- a/src/test/regress/expected/tablespace.out +++ b/src/test/regress/expected/tablespace.out @@ -958,6 +958,11 @@ ALTER TABLE ALL IN TABLESPACE regress_tblspace_renamed SET TABLESPACE pg_default NOTICE: no matching relations in tablespace "regress_tblspace_renamed" found ALTER MATERIALIZED VIEW ALL IN TABLESPACE regress_tblspace_renamed SET TABLESPACE pg_default; NOTICE: no matching relations in tablespace "regress_tblspace_renamed" found +-- Should fail, contains \n in name +ALTER TABLESPACE regress_tblspace_renamed RENAME TO "invalid +name"; +ERROR: tablespace name "invalid +name" contains a newline or carriage return character -- Should succeed DROP TABLESPACE regress_tblspace_renamed; DROP SCHEMA testschema CASCADE; diff --git a/src/test/regress/sql/tablespace.sql b/src/test/regress/sql/tablespace.sql index dfe3db096e2..c43a59e5957 100644 --- a/src/test/regress/sql/tablespace.sql +++ b/src/test/regress/sql/tablespace.sql @@ -430,6 +430,10 @@ ALTER MATERIALIZED VIEW ALL IN TABLESPACE regress_tblspace_renamed SET TABLESPAC ALTER TABLE ALL IN TABLESPACE regress_tblspace_renamed SET TABLESPACE pg_default; ALTER MATERIALIZED VIEW ALL IN TABLESPACE regress_tblspace_renamed SET TABLESPACE pg_default; +-- Should fail, contains \n in name +ALTER TABLESPACE regress_tblspace_renamed RENAME TO "invalid +name"; + -- Should succeed DROP TABLESPACE regress_tblspace_renamed; -- 2.52.0
From bb9c366c2cbba4e3916366619d83ed74e01c9a6a Mon Sep 17 00:00:00 2001 From: Mahendra Singh Thalor <[email protected]> Date: Wed, 4 Feb 2026 00:36:58 +0530 Subject: [PATCH 2/2] add handling to pg_upgrade to report alert for invalid database, user, role and tablespace names. If database/role/user/tablespace name has any newline or carraige return character in name, then pg_upgrade will report ALERT for these. --- --- --- src/bin/pg_upgrade/check.c | 80 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/src/bin/pg_upgrade/check.c b/src/bin/pg_upgrade/check.c index a8d20a92a98..be3e574459c 100644 --- a/src/bin/pg_upgrade/check.c +++ b/src/bin/pg_upgrade/check.c @@ -34,6 +34,7 @@ static void check_new_cluster_replication_slots(void); static void check_new_cluster_subscription_configuration(void); static void check_old_cluster_for_valid_slots(void); static void check_old_cluster_subscription_state(void); +static void check_db_role_tablespace_names_in_old_cluster(ClusterInfo *cluster); /* * DataTypesUsageChecks - definitions of data type checks for the old cluster @@ -600,6 +601,14 @@ check_and_dump_old_cluster(void) */ check_for_connection_status(&old_cluster); + /* + * Validate database, user, role and tablespace names from old cluser. + * No need to check in 19 or newver version as newline and carriage + * return are not allowed at the creation time of object. + */ + if (GET_MAJOR_VERSION(old_cluster.major_version) < 1900) + check_db_role_tablespace_names_in_old_cluster(&old_cluster); + /* * Extract a list of databases, tables, and logical replication slots from * the old cluster. @@ -2500,3 +2509,74 @@ check_old_cluster_subscription_state(void) else check_ok(); } + +/* + * check_db_role_tablespace_names_in_old_cluster() + * + * If any database, user, role or tablespace name has newline or carriage return + * character in name, then this will report those as these special characters + * are not allowed in these names from v19. + */ +static void +check_db_role_tablespace_names_in_old_cluster(ClusterInfo *cluster) +{ + int i; + PGconn *conn_template1; + PGresult *res; + int ntups; + FILE *script = NULL; + char output_path[MAXPGPATH]; + int count = 0; + + prep_status("Checking names of databases, roles and tablespace"); + + snprintf(output_path, sizeof(output_path), "%s/%s", + log_opts.basedir, + "db_role_tablespace_invalid_names.txt"); + + conn_template1 = connectToServer(cluster, "template1"); + + /* + * Get database, user/role and tablespacenames from cluster. Can't use + * pg_authid because only superusers can view it. + */ + res = executeQueryOrDie(conn_template1, + "SELECT datname AS objname, 'database' AS objtype " + "FROM pg_catalog.pg_database UNION ALL " + "SELECT rolname AS objname, 'role' AS objtype " + "FROM pg_catalog.pg_roles UNION ALL " + "SELECT spcname AS objname, 'tablespace' AS objtype " + "FROM pg_catalog.pg_tablespace ORDER BY 2 "); + + ntups = PQntuples(res); + for (i = 0; i < ntups; i++) + { + char *objname = PQgetvalue(res, i, 0); + char *objtype = PQgetvalue(res, i, 1); + + /* If name has \n or \r, then report it. */ + if (strpbrk(objname, "\n\r")) + { + if (script == NULL && (script = fopen_priv(output_path, "w")) == NULL) + pg_fatal("could not open file \"%s\": %m", output_path); + + fprintf(script, "%d : %s name = \"%s\"\n", ++count, objtype, objname); + } + } + + PQclear(res); + PQfinish(conn_template1); + + if (script) + { + fclose(script); + pg_log(PG_REPORT, "fatal"); + pg_fatal("All the database, role and tablespace names should have only valid characters. A newline or \n" + "carriage return character is not allowed in these object names. To fix this, please \n" + "rename these names with valid names. \n" + "To see all %d invalid object names, refer db_role_tablespace_invalid_names.txt file. \n" + " %s", count, output_path); + } + else + check_ok(); +} -- 2.52.0
