Fix SQL injection in logical replication origin checks. ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolates schema and relation names into SQL without quoting them. A crafted subscriber relation name can inject arbitrary SQL on the publisher. Test such a name. Back-patch to v16, where commit 875693019053b8897ec3983e292acbb439b088c3 first appeared.
Reported-by: Pavel Kohout <[email protected]> Author: Pavel Kohout <[email protected]> Reviewed-by: Nathan Bossart <[email protected]> Backpatch-through: 16 Security: CVE-2026-6638 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/f0f59b658ef10901c9af3af7705c802a72a0577e Modified Files -------------- src/backend/commands/subscriptioncmds.c | 9 +++++++-- src/test/subscription/t/030_origin.pl | 35 ++++++++++++++++++--------------- 2 files changed, 26 insertions(+), 18 deletions(-)
