pg_createsubscriber: Obstruct SQL injection via subscription names. drop_existing_subscription() neglected to escape the subscription name when generating its query string. To fix, use PQescapeIdentifier() to construct a properly escaped name, and use it in the ALTER SUBSCRIPTION and DROP SUBSCRIPTION commands.
Reported-by: Yu Kunpeng <[email protected]> Author: Nathan Bossart <[email protected]> Reviewed-by: Amit Kapila <[email protected]> Security: CVE-2026-6476 Backpatch-through: 17 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/d7de7fa84d2492f15747163cbb2f4c5c110ec4a4 Author: Nathan Bossart <[email protected]> Modified Files -------------- src/bin/pg_basebackup/pg_createsubscriber.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)
