postgresql/src/backend
Tom Lane a75bd485b5 Clean up quoting of variable strings within replication commands.
Our handling of quoting within replication commands was pretty
sloppy, typically looking like
        appendStringInfo(&cmd, " SLOT \"%s\"", options->slotname);
This is fine as long as options->slotname doesn't contain a double
quote mark, but what if it does?  In principle this'd allow injection
of harmful options into replication commands, in the probably-unlikely
case that a slot name comes from untrustworthy input.  We ought to
clean that up.

Moreover, even the places that were trying to be more careful
generally got it wrong, because they used quoting subroutines
intended for SQL commands rather than something that will work
with the replication-command scanner repl_scanner.l.  For example,
several places naively use PQescapeLiteral() to quote option values
for replication commands.  If the string contains a backslash,
PQescapeLiteral() will produce E'...' literal syntax, which
repl_scanner.l doesn't recognize.  Another near miss was to use
quote_identifier() to quote identifiers.  That function won't quote
valid lowercase identifiers unless they match SQL keywords ... but in
this context, replication keywords are what matter.  Neither of these
errors seem to risk string injection, but they definitely can cause
syntax errors in replication commands that ought to be valid.

We can clean all this up by using simple quoting logic that just
doubles single or double quotes respectively.

Or at least, we could if repl_scanner.l handled doubled double quotes
in identifiers, but for some reason it doesn't!  So the first step in
this fix has to be to fix that.  (The fact that we'll later reject
slot names containing double quotes is very far short of justifying
this omission.)

Having done that, this patch runs around and applies correct
quoting in all places that generate replication commands containing
strings coming from outside the immediate context.  Probably some
of these places are safe because of restrictions elsewhere, but it
seems best to just quote all the time.

This was originally reported as a security bug, which it could be
if replication slot names or parameters were to originate from
untrustworthy sources.  But the security team concluded that that
was a very improbable situation, so we're just going to fix this
as a regular bug.

Reported-by: Team Dhiutsa
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Ayush Tiwari <ayushtiwari.slg01@gmail.com>
Discussion: https://postgr.es/m/1648659.1781287310@sss.pgh.pa.us
Backpatch-through: 14
2026-06-15 15:35:37 -04:00
..
access Fix second race with timeline selection during promotion 2026-06-12 11:44:11 +09:00
archive Don't include wait_event.h in pgstat.h 2026-03-06 16:24:58 +01:00
backup Pre-beta mechanical code beautification, step 1: run pgindent. 2026-05-13 10:34:17 -04:00
bootstrap Rework signal handler infrastructure to pass sender info as argument. 2026-04-15 07:30:34 -04:00
catalog Fix translatable string construction 2026-06-11 18:29:36 +02:00
commands Clean up quoting of variable strings within replication commands. 2026-06-15 15:35:37 -04:00
executor Revert "Enable fast default for domains with non-volatile constraints" 2026-06-08 14:20:39 -04:00
foreign Remove bits* typedefs. 2026-03-30 16:12:08 -05:00
jit Fix another case of indirectly casting away const. 2026-06-04 11:37:55 -04:00
lib Pre-beta mechanical code beautification, step 1: run pgindent. 2026-05-13 10:34:17 -04:00
libpq Fix md5_password_warnings for role and database settings 2026-06-12 08:32:39 +09:00
main Update copyright for 2026 2026-01-01 13:24:10 -05:00
nodes IS JSON/JSON(): Protect against expressions uncoercible to text 2026-06-11 16:17:58 +02:00
optimizer Fix missed checks for hashability of container-type equality. 2026-06-08 11:48:16 -04:00
parser IS JSON/JSON(): Protect against expressions uncoercible to text 2026-06-11 16:17:58 +02:00
partitioning Reject degenerate SPLIT PARTITION with DEFAULT partition 2026-05-25 11:57:42 +03:00
po Translation updates 2026-06-01 12:13:54 +02:00
port Use "grep -E" not "egrep". 2026-05-13 12:07:19 -04:00
postmaster Fix syslogger NULL-pointer-dereference in EXEC_BACKEND 2026-06-08 19:49:54 +02:00
regex Harden our regex engine against integer overflow in size calculations. 2026-05-11 05:13:46 -07:00
replication Clean up quoting of variable strings within replication commands. 2026-06-15 15:35:37 -04:00
rewrite Fix LATERAL references in GRAPH_TABLE with multi-label pattern 2026-06-05 09:27:51 +02:00
snowball Fix meson build of snowball code. 2026-01-05 16:51:36 -05:00
statistics Adjust some error hints 2026-05-26 08:13:22 +09:00
storage Fix MarkBufferDirtyHint() to not call GetBufferDescriptor() for local buffers 2026-06-10 13:49:26 +09:00
tcop Simplify signature of ProcessStartupPacket() 2026-05-17 07:44:17 +09:00
tsearch dict_synonym.c: remove incorrect outlen. 2026-06-08 11:47:53 -07:00
utils Confine RI fast-path batching to the top transaction level 2026-06-12 11:30:38 +09:00
.gitignore
common.mk Blind attempt to fix LLVM dependency in the backend 2022-09-15 10:53:48 +07:00
Makefile ssl: Serverside SNI support for libpq 2026-03-18 12:37:11 +01:00
meson.build Add CONCURRENTLY option to REPACK 2026-04-06 21:55:08 +02:00
nls.mk Create a separate file listing backend types 2025-09-26 15:21:49 +02:00