pg_createsubscriber: Obstruct SQL injection via subscription names.
Nathan Bossart <nathan@postgresql.org>
Author:
Nathan Bossart <nathan@postgresql.org>
Committer:
Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:49Z
Releases:
17.10
pg_createsubscriber: Obstruct SQL injection via subscription names. drop_existing_subscription() neglected to escape the subscription name when generating its query string. To fix, use PQescapeIdentifier() to construct a properly escaped name, and use it in the ALTER SUBSCRIPTION and DROP SUBSCRIPTION commands. Reported-by: Yu Kunpeng <yu443940816@live.com> Author: Nathan Bossart <nathandbossart@gmail.com> Reviewed-by: Amit Kapila <amit.kapila16@gmail.com> Security: CVE-2026-6476 Backpatch-through: 17
Files
| Path | Change | +/− |
|---|---|---|
| src/bin/pg_basebackup/pg_createsubscriber.c | modified | +8 −3 |