Do quoting more carefully in replication commands
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: pgsql-hackers@lists.postgresql.org
Date: 2026-06-12T18:01:50Z
Lists: pgsql-hackers
Attachments
- v1-0001-Clean-up-quoting-of-variable-strings-within-repli.patch (text/x-diff) patch v1-0001
The security team received a report that pg_recvlogical was careless about quoting --option arguments that are passed into the START_REPLICATION command given to the server. In principle this'd allow an attacker to inject unwanted stuff into START_REPLICATION's options. However, we found it really hard to envision a situation where somebody would be passing strings obtained from untrustworthy sources to pg_recvlogical, especially given that anything to do with replication already requires pretty high privilege. So we're electing to treat this as a garden-variety bug rather than one requiring the CVE process. Looking around revealed other places also being sloppy about quoting strings inserted into replication commands, but the same who-would-do-that argument applies to them too. So here is a patch that tries to clean all that up. (I envision back-patching this all the way, but have not yet looked at whether the back branches will require adjustments.) regards, tom lane
Commits
-
Clean up quoting of variable strings within replication commands.
- abb5825550a8 18 (unreleased) landed
- a75bd485b5ea 19 (unreleased) landed
- 819e5b964bbe 15 (unreleased) landed
- 2a00840e8c97 14 (unreleased) landed
- 26d6c19d0f44 16 (unreleased) landed
- 14810cc0d96c 17 (unreleased) landed