Hi, On Tue, May 26, 2026 at 9:53 AM Nathan Bossart <[email protected]> wrote:
> The security team has received a couple of reports about potential SQL > injection opportunities via refint's trigger arguments. We discussed this > while preparing CVE-2026-6637 and concluded that forcibly quoting these > arguments would be much more likely to break working code than to prevent > any exploits. Unlike data values, the table/column names come from trigger > arguments, and there is little reason for a trigger author to put hostile > inputs into those arguments. > > The attached documentation patch was originally intended to go along with > CVE-2026-6637, but we ultimately scoped it down to only the > security-relevant parts. This should be back-patched to v14. Note that we > are preparing to removing refint completely in v20, but IMHO this doc > update is still worth doing. > > Thoughts? > LGTM. Thanks, Satya
