ext/pgsql: escape table name, delimiter, null marker in pg_copy_from/to

iliaal · iliaal · commit b97ce88b51db · 2026-05-11T07:54:00.000-04:00
The COPY query embedded table_name with a raw "%s" and the delimiter and null marker inside literal E'..' wrappers, so caller-supplied strings could break out and run side queries. Route bare table names through build_tablename (the same helper pg_insert/update/select/delete have used since bug #62978) and pass the delimiter and null marker through PQescapeLiteral. pg_copy_to keeps the parenthesised (query) source form documented in bug 73498; the input is now SQL-aware paren-balance checked (single, double, and dollar-quoted literals are tracked) and rejected if depth returns to 0 before end-of-string, so the user-supplied string cannot close the wrapper early and inject a trailing statement. Closes GH-21985
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
@@ -273,6 +273,103 @@ static void pgsql_lob_free_obj(zend_object *obj)
 
 /* Compatibility definitions */
 
+static inline zend_result build_tablename(smart_str *querystr, PGconn *pg_link, const zend_string *table);
+
+static bool pgsql_copy_query_form_balanced(const char *s, size_t len)
+{
+	if (len < 2 || s[0] != '(' || s[len - 1] != ')') {
+		return false;
+	}
+	int depth = 0;
+	size_t i = 0;
+	while (i < len) {
+		char c = s[i];
+		if (c == '\'' || c == '"') {
+			char quote = c;
+			i++;
+			while (i < len) {
+				if (s[i] == quote) {
+					if (i + 1 < len && s[i + 1] == quote) {
+						i += 2;
+						continue;
+					}
+					i++;
+					break;
+				}
+				i++;
+			}
+			continue;
+		}
+		if (c == '$') {
+			size_t tag_start = i + 1;
+			size_t p = tag_start;
+			while (p < len && (isalnum((unsigned char) s[p]) || s[p] == '_')) {
+				p++;
+			}
+			if (p < len && s[p] == '$') {
+				size_t tag_len = p - tag_start;
+				size_t scan = p + 1;
+				bool closed = false;
+				while (scan + tag_len + 1 < len) {
+					if (s[scan] == '$' && s[scan + tag_len + 1] == '$'
+						&& (tag_len == 0 || memcmp(s + scan + 1, s + tag_start, tag_len) == 0)) {
+						scan = scan + tag_len + 2;
+						closed = true;
+						break;
+					}
+					scan++;
+				}
+				if (!closed) {
+					return false;
+				}
+				i = scan;
+				continue;
+			}
+			i++;
+			continue;
+		}
+		if (c == '-' && i + 1 < len && s[i + 1] == '-') {
+			i += 2;
+			while (i < len && s[i] != '\n') {
+				i++;
+			}
+			continue;
+		}
+		if (c == '/' && i + 1 < len && s[i + 1] == '*') {
+			i += 2;
+			int cdepth = 1;
+			while (i + 1 < len && cdepth > 0) {
+				if (s[i] == '/' && s[i + 1] == '*') {
+					cdepth++;
+					i += 2;
+				} else if (s[i] == '*' && s[i + 1] == '/') {
+					cdepth--;
+					i += 2;
+				} else {
+					i++;
+				}
+			}
+			if (cdepth != 0) {
+				return false;
+			}
+			continue;
+		}
+		if (c == '(') {
+			depth++;
+		} else if (c == ')') {
+			depth--;
+			if (depth < 0) {
+				return false;
+			}
+			if (depth == 0 && i != len - 1) {
+				return false;
+			}
+		}
+		i++;
+	}
+	return depth == 0;
+}
+
 static zend_string *_php_pgsql_trim_message(const char *message)
 {
 	size_t i = strlen(message);
@@ -3347,9 +3444,8 @@ PHP_FUNCTION(pg_copy_to)
 	pgsql_link_handle *link;
 	zend_string *table_name;
 	zend_string *pg_delimiter = NULL;
-	char *pg_null_as = "\\\\N";
-	size_t pg_null_as_len = 0;
-	char *query;
+	char *pg_null_as = "\\N";
+	size_t pg_null_as_len = sizeof("\\N") - 1;
 	PGconn *pgsql;
 	PGresult *pgsql_result;
 	ExecStatusType status;
@@ -3373,14 +3469,49 @@ PHP_FUNCTION(pg_copy_to)
 		zend_argument_value_error(3, "must be one character");
 		RETURN_THROWS();
 	}
+	smart_str querystr = {0};
+	smart_str_appends(&querystr, "COPY ");
+	if (ZSTR_LEN(table_name) > 0 && ZSTR_VAL(table_name)[0] == '(') {
+		if (!pgsql_copy_query_form_balanced(ZSTR_VAL(table_name), ZSTR_LEN(table_name))) {
+			php_error_docref(NULL, E_WARNING, "Invalid query source '%s': must be a single balanced parenthesised expression", ZSTR_VAL(table_name));
+			smart_str_free(&querystr);
+			RETURN_FALSE;
+		}
+		smart_str_appendc(&querystr, '(');
+		smart_str_append(&querystr, table_name);
+		smart_str_appendc(&querystr, ')');
+	} else if (build_tablename(&querystr, pgsql, table_name) == FAILURE) {
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
 
-	spprintf(&query, 0, "COPY %s TO STDOUT DELIMITER E'%c' NULL AS E'%s'", ZSTR_VAL(table_name), *ZSTR_VAL(pg_delimiter), pg_null_as);
+	char *escaped_delimiter = PQescapeLiteral(pgsql, ZSTR_VAL(pg_delimiter), 1);
+	if (!escaped_delimiter) {
+		zend_string *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql));
+		php_error_docref(NULL, E_WARNING, "Failed to escape delimiter '%c': %s", *ZSTR_VAL(pg_delimiter), ZSTR_VAL(msgbuf));
+		zend_string_release(msgbuf);
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+	char *escaped_null_as = PQescapeLiteral(pgsql, pg_null_as, pg_null_as_len);
+	if (!escaped_null_as) {
+		zend_string *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql));
+		php_error_docref(NULL, E_WARNING, "Failed to escape null_as '%s': %s", pg_null_as, ZSTR_VAL(msgbuf));
+		zend_string_release(msgbuf);
+		PQfreemem(escaped_delimiter);
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+	smart_str_append_printf(&querystr, " TO STDOUT DELIMITER %s NULL AS %s", escaped_delimiter, escaped_null_as);
+	smart_str_0(&querystr);
+	PQfreemem(escaped_delimiter);
+	PQfreemem(escaped_null_as);
 
 	while ((pgsql_result = PQgetResult(pgsql))) {
 		PQclear(pgsql_result);
 	}
-	pgsql_result = PQexec(pgsql, query);
-	efree(query);
+	pgsql_result = PQexec(pgsql, ZSTR_VAL(querystr.s));
+	smart_str_free(&querystr);
 
 	if (pgsql_result) {
 		status = PQresultStatus(pgsql_result);
@@ -3462,9 +3593,8 @@ PHP_FUNCTION(pg_copy_from)
 	zval *value;
 	zend_string *table_name;
 	zend_string *pg_delimiter = NULL;
-	char *pg_null_as = "\\\\N";
-	size_t pg_null_as_len;
-	char *query;
+	char *pg_null_as = "\\N";
+	size_t pg_null_as_len = sizeof("\\N") - 1;
 	PGconn *pgsql;
 	PGresult *pgsql_result;
 	ExecStatusType status;
@@ -3488,14 +3618,41 @@ PHP_FUNCTION(pg_copy_from)
 		zend_argument_value_error(4, "must be one character");
 		RETURN_THROWS();
 	}
+	smart_str querystr = {0};
+	smart_str_appends(&querystr, "COPY ");
+	if (build_tablename(&querystr, pgsql, table_name) == FAILURE) {
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+
+	char *escaped_delimiter = PQescapeLiteral(pgsql, ZSTR_VAL(pg_delimiter), 1);
+	if (!escaped_delimiter) {
+		zend_string *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql));
+		php_error_docref(NULL, E_WARNING, "Failed to escape delimiter '%c': %s", *ZSTR_VAL(pg_delimiter), ZSTR_VAL(msgbuf));
+		zend_string_release(msgbuf);
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+	char *escaped_null_as = PQescapeLiteral(pgsql, pg_null_as, pg_null_as_len);
+	if (!escaped_null_as) {
+		zend_string *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql));
+		php_error_docref(NULL, E_WARNING, "Failed to escape null_as '%s': %s", pg_null_as, ZSTR_VAL(msgbuf));
+		zend_string_release(msgbuf);
+		PQfreemem(escaped_delimiter);
+		smart_str_free(&querystr);
+		RETURN_FALSE;
+	}
+	smart_str_append_printf(&querystr, " FROM STDIN DELIMITER %s NULL AS %s", escaped_delimiter, escaped_null_as);
+	smart_str_0(&querystr);
+	PQfreemem(escaped_delimiter);
+	PQfreemem(escaped_null_as);
 
-	spprintf(&query, 0, "COPY %s FROM STDIN DELIMITER E'%c' NULL AS E'%s'", ZSTR_VAL(table_name), *ZSTR_VAL(pg_delimiter), pg_null_as);
 	while ((pgsql_result = PQgetResult(pgsql))) {
 		PQclear(pgsql_result);
 	}
-	pgsql_result = PQexec(pgsql, query);
+	pgsql_result = PQexec(pgsql, ZSTR_VAL(querystr.s));
 
-	efree(query);
+	smart_str_free(&querystr);
 
 	if (pgsql_result) {
 		status = PQresultStatus(pgsql_result);
@@ -5574,7 +5731,9 @@ static inline zend_result build_tablename(smart_str *querystr, PGconn *pg_link,
 	} else {
 		char *escaped = PQescapeIdentifier(pg_link, ZSTR_VAL(table), len);
 		if (escaped == NULL) {
-			php_error_docref(NULL, E_NOTICE, "Failed to escape table name '%s'", ZSTR_VAL(table));
+			zend_string *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pg_link));
+			php_error_docref(NULL, E_WARNING, "Failed to escape table name '%s': %s", ZSTR_VAL(table), ZSTR_VAL(msgbuf));
+			zend_string_release(msgbuf);
 			return FAILURE;
 		}
 		smart_str_appends(querystr, escaped);
@@ -5590,7 +5749,9 @@ static inline zend_result build_tablename(smart_str *querystr, PGconn *pg_link,
 		} else {
 			char *escaped = PQescapeIdentifier(pg_link, after_dot, len);
 			if (escaped == NULL) {
-				php_error_docref(NULL, E_NOTICE, "Failed to escape table name '%s'", ZSTR_VAL(table));
+				zend_string *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pg_link));
+				php_error_docref(NULL, E_WARNING, "Failed to escape table name '%s': %s", ZSTR_VAL(table), ZSTR_VAL(msgbuf));
+				zend_string_release(msgbuf);
 				return FAILURE;
 			}
 			smart_str_appendc(querystr, '.');
diff --git a/ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt b/ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt
@@ -42,7 +42,7 @@ bool(false)
 Notice: pg_insert(): String value escaping failed for PostgreSQL 'text' (bar) in %s on line %d
 bool(false)
 
-Notice: pg_insert(): Failed to escape table name 'ABC%s';' in %s on line %d
+Warning: pg_insert(): Failed to escape table name 'ABC%s';': %s in %s on line %d
 bool(false)
 
 Notice: pg_insert(): Failed to escape field 'ABC%s';' in %s on line %d
diff --git a/ext/pgsql/tests/pg_copy_default_null_marker.phpt b/ext/pgsql/tests/pg_copy_default_null_marker.phpt
@@ -0,0 +1,52 @@
+--TEST--
+pg_copy_to() / pg_copy_from() default null marker round-trip
+--EXTENSIONS--
+pgsql
+--SKIPIF--
+<?php include("inc/skipif.inc"); ?>
+--FILE--
+<?php
+
+include('inc/config.inc');
+
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_default_null');
+pg_query($db, 'CREATE TABLE pg_copy_default_null (id int, v text)');
+pg_query($db, "INSERT INTO pg_copy_default_null VALUES (1, 'hello'), (2, NULL)");
+
+$rows = pg_copy_to($db, 'pg_copy_default_null');
+var_dump($rows);
+
+pg_query($db, 'DELETE FROM pg_copy_default_null');
+var_dump(pg_copy_from($db, 'pg_copy_default_null', $rows));
+var_dump(pg_fetch_all(pg_query($db, 'SELECT v FROM pg_copy_default_null ORDER BY id')));
+
+?>
+--CLEAN--
+<?php
+include('inc/config.inc');
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_default_null');
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(8) "1	hello
+"
+  [1]=>
+  string(5) "2	\N
+"
+}
+bool(true)
+array(2) {
+  [0]=>
+  array(1) {
+    ["v"]=>
+    string(5) "hello"
+  }
+  [1]=>
+  array(1) {
+    ["v"]=>
+    NULL
+  }
+}
diff --git a/ext/pgsql/tests/pg_copy_from_null_as_escape.phpt b/ext/pgsql/tests/pg_copy_from_null_as_escape.phpt
@@ -0,0 +1,43 @@
+--TEST--
+pg_copy_from() escapes the null_as argument
+--EXTENSIONS--
+pgsql
+--SKIPIF--
+<?php include("inc/skipif.inc"); ?>
+--FILE--
+<?php
+
+include('inc/config.inc');
+
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_target');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_injected');
+pg_query($db, 'CREATE TABLE pg_copy_null_as_target (v text)');
+
+$evil = "X'; CREATE TABLE pg_copy_null_as_injected (v text); --";
+var_dump(pg_copy_from($db, 'pg_copy_null_as_target', ["row\n"], "\t", $evil));
+
+$r = pg_query($db, "SELECT 1 FROM pg_tables WHERE tablename = 'pg_copy_null_as_injected'");
+var_dump(pg_num_rows($r));
+
+$r = pg_query($db, 'SELECT v FROM pg_copy_null_as_target ORDER BY v');
+var_dump(pg_fetch_all($r));
+
+?>
+--CLEAN--
+<?php
+include('inc/config.inc');
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_target');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_null_as_injected');
+?>
+--EXPECT--
+bool(true)
+int(0)
+array(1) {
+  [0]=>
+  array(1) {
+    ["v"]=>
+    string(3) "row"
+  }
+}
diff --git a/ext/pgsql/tests/pg_copy_from_table_name_escape.phpt b/ext/pgsql/tests/pg_copy_from_table_name_escape.phpt
@@ -0,0 +1,36 @@
+--TEST--
+pg_copy_from() escapes the table name argument
+--EXTENSIONS--
+pgsql
+--SKIPIF--
+<?php include("inc/skipif.inc"); ?>
+--FILE--
+<?php
+
+include('inc/config.inc');
+
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_target');
+pg_query($db, 'CREATE TABLE pg_copy_from_target (v text)');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_other');
+pg_query($db, 'CREATE TABLE pg_copy_from_other (v text)');
+
+$evil = "pg_copy_from_other FROM STDIN --";
+var_dump(pg_copy_from($db, $evil, ["redirected\n"]));
+
+$rows = pg_fetch_all(pg_query($db, 'SELECT v FROM pg_copy_from_other')) ?: [];
+var_dump($rows);
+
+?>
+--CLEAN--
+<?php
+include('inc/config.inc');
+$db = pg_connect($conn_str);
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_target');
+pg_query($db, 'DROP TABLE IF EXISTS pg_copy_from_other');
+?>
+--EXPECTF--
+Warning: pg_copy_from(): Copy command failed: ERROR:%srelation "pg_copy_from_other FROM STDIN --" does not exist%ain %s on line %d
+bool(false)
+array(0) {
+}
diff --git a/ext/pgsql/tests/pg_copy_to_query_injection.phpt b/ext/pgsql/tests/pg_copy_to_query_injection.phpt
diff --git a/ext/pgsql/tests/pg_copy_to_table_name_escape.phpt b/ext/pgsql/tests/pg_copy_to_table_name_escape.phpt
