| From: | Ayush Tiwari <ayushtiwari(dot)slg01(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Do quoting more carefully in replication commands |
| Date: | 2026-06-12 19:13:52 |
| Message-ID: | CAJTYsWU9Qp5VYf9GoAX5ngV6AbO5T=mkXT1vPoNiGGWu2S6Jwg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On Fri, 12 Jun 2026 at 23:32, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> The security team received a report that pg_recvlogical was
> careless about quoting --option arguments that are passed
> into the START_REPLICATION command given to the server. In
> principle this'd allow an attacker to inject unwanted stuff
> into START_REPLICATION's options. However, we found it really
> hard to envision a situation where somebody would be passing
> strings obtained from untrustworthy sources to pg_recvlogical,
> especially given that anything to do with replication already
> requires pretty high privilege. So we're electing to treat this
> as a garden-variety bug rather than one requiring the CVE process.
>
> Looking around revealed other places also being sloppy about
> quoting strings inserted into replication commands, but the same
> who-would-do-that argument applies to them too. So here is a
> patch that tries to clean all that up.
>
> (I envision back-patching this all the way, but have not yet
> looked at whether the back branches will require adjustments.)
>
Thanks for the patch!
I looked at the patch and big +1 on handling quoting wherever
feasible rather than depending on some parent or child function to do that.
Not only does the patch fix quoting, it also fixes some
workflows (it is on the right side, so I think adding a test
is optional though some ERROR / behaviour would change,
for example some earlier "Syntax error" would fall through
the whole function).
$ pg_receivewal -D wal --slot=999 --no-sync
pg_receivewal: error: could not send replication command
"READ_REPLICATION_SLOT": ERROR: syntax error
pg_receivewal: disconnected; waiting 5 seconds to try again
pg_receivewal: error: could not send replication command
"READ_REPLICATION_SLOT": ERROR: syntax error
[loops]
The above works fine post the patch. Even for libpqwalreceiver
issue when publication_names containing a backslash, as mentioned
in your patch commit, earlier subscription used to be permanently stuck due
to that addition of E.
All in all, I did not find any issues with the patch, lgtm.
Regards,
Ayush
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ayush Tiwari | 2026-06-12 20:05:23 | Re: Modernizing pg_bsd_indent's error/warning reporting code |
| Previous Message | Tom Lane | 2026-06-12 19:02:42 | Re: [PATCH] seg: preserve the upper boundary's certainty indicator in seg_out() |