From: Nathan Bossart Date: Mon, 11 May 2026 12:13:47 +0000 (-0700) Subject: pg_createsubscriber: Obstruct SQL injection via subscription names. X-Git-Tag: REL_18_4~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c2e44c370edc003367e94bde137c6d9cfab5919c;p=thirdparty%2Fpostgresql.git pg_createsubscriber: Obstruct SQL injection via subscription names. drop_existing_subscription() neglected to escape the subscription name when generating its query string. To fix, use PQescapeIdentifier() to construct a properly escaped name, and use it in the ALTER SUBSCRIPTION and DROP SUBSCRIPTION commands. Reported-by: Yu Kunpeng Author: Nathan Bossart Reviewed-by: Amit Kapila Security: CVE-2026-6476 Backpatch-through: 17 --- diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c index e06439c1e95..51d12aa7f6f 100644 --- a/src/bin/pg_basebackup/pg_createsubscriber.c +++ b/src/bin/pg_basebackup/pg_createsubscriber.c @@ -1118,18 +1118,23 @@ drop_existing_subscriptions(PGconn *conn, const char *subname, const char *dbnam { PQExpBuffer query = createPQExpBuffer(); PGresult *res; + char *subname_esc; Assert(conn != NULL); + subname_esc = PQescapeIdentifier(conn, subname, strlen(subname)); + /* * Construct a query string. These commands are allowed to be executed * within a transaction. */ appendPQExpBuffer(query, "ALTER SUBSCRIPTION %s DISABLE;", - subname); + subname_esc); appendPQExpBuffer(query, " ALTER SUBSCRIPTION %s SET (slot_name = NONE);", - subname); - appendPQExpBuffer(query, " DROP SUBSCRIPTION %s;", subname); + subname_esc); + appendPQExpBuffer(query, " DROP SUBSCRIPTION %s;", subname_esc); + + PQfreemem(subname_esc); if (dry_run) pg_log_info("dry-run: would drop subscription \"%s\" in database \"%s\"",