Do quoting more carefully in replication commands

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: pgsql-hackers@lists.postgresql.org
Date: 2026-06-12T18:01:50Z
Lists: pgsql-hackers

Attachments

The security team received a report that pg_recvlogical was
careless about quoting --option arguments that are passed
into the START_REPLICATION command given to the server.  In
principle this'd allow an attacker to inject unwanted stuff
into START_REPLICATION's options.  However, we found it really
hard to envision a situation where somebody would be passing
strings obtained from untrustworthy sources to pg_recvlogical,
especially given that anything to do with replication already
requires pretty high privilege.  So we're electing to treat this
as a garden-variety bug rather than one requiring the CVE process.

Looking around revealed other places also being sloppy about
quoting strings inserted into replication commands, but the same
who-would-do-that argument applies to them too.  So here is a
patch that tries to clean all that up.

(I envision back-patching this all the way, but have not yet
looked at whether the back branches will require adjustments.)

			regards, tom lane

Commits

  1. Clean up quoting of variable strings within replication commands.