pg_createsubscriber: Obstruct SQL injection via subscription names.

drop_existing_subscription() neglected to escape the subscription
name when generating its query string.  To fix, use
PQescapeIdentifier() to construct a properly escaped name, and use
it in the ALTER SUBSCRIPTION and DROP SUBSCRIPTION commands.

Reported-by: Yu Kunpeng <yu443940816@live.com>
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Amit Kapila <amit.kapila16@gmail.com>
Security: CVE-2026-6476
Backpatch-through: 17

diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c
index 809626f4af3985d7134cd6c6e73b939e00b4f75d..81d3c78b805acdaae6b59f7ce5f239006fb3982a 100644 (file)
--- a/src/bin/pg_basebackup/pg_createsubscriber.c
+++ b/src/bin/pg_basebackup/pg_createsubscriber.c
@@ -1257,18 +1257,23 @@ drop_existing_subscription(PGconn *conn, const char *subname, const char *dbname
 {
        PQExpBuffer query = createPQExpBuffer();
        PGresult   *res;
+       char       *subname_esc;
 
        Assert(conn != NULL);
 
+       subname_esc = PQescapeIdentifier(conn, subname, strlen(subname));
+
        /*
         * Construct a query string. These commands are allowed to be executed
         * within a transaction.
         */
        appendPQExpBuffer(query, "ALTER SUBSCRIPTION %s DISABLE;",
-                                         subname);
+                                         subname_esc);
        appendPQExpBuffer(query, " ALTER SUBSCRIPTION %s SET (slot_name = NONE);",
-                                         subname);
-       appendPQExpBuffer(query, " DROP SUBSCRIPTION %s;", subname);
+                                         subname_esc);
+       appendPQExpBuffer(query, " DROP SUBSCRIPTION %s;", subname_esc);
+
+       PQfreemem(subname_esc);
 
        if (dry_run)
                pg_log_info("dry-run: would drop subscription \"%s\" in database \"%s\"",