Fix SQL injection in logical replication origin checks. ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolates schema and relation names into SQL without quoting them. A crafted subscriber relation name can inject arbitrary SQL on the publisher. Test such a name. Back-patch to v16, where commit 875693019053b8897ec3983e292acbb439b088c3 first appeared.
Reported-by: Pavel Kohout <[email protected]> Author: Pavel Kohout <[email protected]> Reviewed-by: Nathan Bossart <[email protected]> Backpatch-through: 16 Security: CVE-2026-6638 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/46b4f5c11b0f2f6e6db834ffafc0d1a01a0373c1 Modified Files -------------- src/backend/commands/subscriptioncmds.c | 18 ++++++++--- src/test/subscription/t/030_origin.pl | 55 +++++++++++++++++---------------- 2 files changed, 43 insertions(+), 30 deletions(-)
