Fix SQL injection in logical replication origin checks. ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolates schema and relation names into SQL without quoting them. A crafted subscriber relation name can inject arbitrary SQL on the publisher. Test such a name. Back-patch to v16, where commit 875693019053b8897ec3983e292acbb439b088c3 first appeared.
Reported-by: Pavel Kohout <[email protected]> Author: Pavel Kohout <[email protected]> Reviewed-by: Nathan Bossart <[email protected]> Backpatch-through: 16 Security: CVE-2026-6638 Branch ------ REL_18_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/cb35d730689546dd7334437f2954a6670fbb967e Modified Files -------------- src/backend/commands/subscriptioncmds.c | 9 ++++-- src/test/subscription/t/030_origin.pl | 55 +++++++++++++++++---------------- 2 files changed, 36 insertions(+), 28 deletions(-)
