Fix SQL injection in logical replication origin checks. ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolates schema and relation names into SQL without quoting them. A crafted subscriber relation name can inject arbitrary SQL on the publisher. Test such a name. Back-patch to v16, where commit 875693019053b8897ec3983e292acbb439b088c3 first appeared.
Reported-by: Pavel Kohout <[email protected]> Author: Pavel Kohout <[email protected]> Reviewed-by: Nathan Bossart <[email protected]> Backpatch-through: 16 Security: CVE-2026-6638 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/248a433cd10759ef968ebed655d19dd1ef129bf6 Modified Files -------------- src/backend/commands/subscriptioncmds.c | 9 +++++++-- src/test/subscription/t/030_origin.pl | 35 ++++++++++++++++++--------------- 2 files changed, 26 insertions(+), 18 deletions(-)
