pg_createsubscriber: Obstruct SQL injection via subscription names.

Nathan Bossart <nathan@postgresql.org>

Commit: d389415ffad509f0de1342e6ebbb5d5c62dbedef
Author: Nathan Bossart <nathan@postgresql.org>
Committer: Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:47Z
pg_createsubscriber: Obstruct SQL injection via subscription names.

drop_existing_subscription() neglected to escape the subscription
name when generating its query string.  To fix, use
PQescapeIdentifier() to construct a properly escaped name, and use
it in the ALTER SUBSCRIPTION and DROP SUBSCRIPTION commands.

Reported-by: Yu Kunpeng <yu443940816@live.com>
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Amit Kapila <amit.kapila16@gmail.com>
Security: CVE-2026-6476
Backpatch-through: 17

Files

PathChange+/−
src/bin/pg_basebackup/pg_createsubscriber.c modified +8 −3