From: Nathan Bossart <nathan@postgresql.org>
Date: Mon, 11 May 2026 12:13:49 +0000 (-0700)
Subject: pg_createsubscriber: Obstruct SQL injection via subscription names.
X-Git-Tag: REL_17_10~11
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=d7de7fa84d2492f15747163cbb2f4c5c110ec4a4;p=thirdparty%2Fpostgresql.git

pg_createsubscriber: Obstruct SQL injection via subscription names.

drop_existing_subscription() neglected to escape the subscription
name when generating its query string.  To fix, use
PQescapeIdentifier() to construct a properly escaped name, and use
it in the ALTER SUBSCRIPTION and DROP SUBSCRIPTION commands.

Reported-by: Yu Kunpeng <yu443940816@live.com>
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Amit Kapila <amit.kapila16@gmail.com>
Security: CVE-2026-6476
Backpatch-through: 17
---

diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c
index bad464136e2..eb90c23ca0d 100644
--- a/src/bin/pg_basebackup/pg_createsubscriber.c
+++ b/src/bin/pg_basebackup/pg_createsubscriber.c
@@ -1063,18 +1063,23 @@ drop_existing_subscriptions(PGconn *conn, const char *subname, const char *dbnam
 {
 	PQExpBuffer query = createPQExpBuffer();
 	PGresult   *res;
+	char	   *subname_esc;
 
 	Assert(conn != NULL);
 
+	subname_esc = PQescapeIdentifier(conn, subname, strlen(subname));
+
 	/*
 	 * Construct a query string. These commands are allowed to be executed
 	 * within a transaction.
 	 */
 	appendPQExpBuffer(query, "ALTER SUBSCRIPTION %s DISABLE;",
-					  subname);
+					  subname_esc);
 	appendPQExpBuffer(query, " ALTER SUBSCRIPTION %s SET (slot_name = NONE);",
-					  subname);
-	appendPQExpBuffer(query, " DROP SUBSCRIPTION %s;", subname);
+					  subname_esc);
+	appendPQExpBuffer(query, " DROP SUBSCRIPTION %s;", subname_esc);
+
+	PQfreemem(subname_esc);
 
 	pg_log_info("dropping subscription \"%s\" in database \"%s\"",
 				subname, dbname);