From abd3e8a7131621251b5d4628f4cb0979911159ac Mon Sep 17 00:00:00 2001 From: Bertrand Drouvot Date: Fri, 23 Feb 2024 13:58:31 +0000 Subject: [PATCH v1] reset search_path for slot synchronization. Ensure that search_path is reset for slot synchronization, within the BGW and "local" connections. --- src/backend/replication/libpqwalreceiver/libpqwalreceiver.c | 2 +- src/backend/replication/logical/slotsync.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) 20.0% src/backend/replication/libpqwalreceiver/ 79.9% src/backend/replication/logical/ diff --git a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c index 04271ee703..a30528a5f6 100644 --- a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c +++ b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c @@ -271,7 +271,7 @@ libpqrcv_connect(const char *conninfo, bool replication, bool logical, errhint("Target server's authentication method must be changed, or set password_required=false in the subscription parameters."))); } - if (logical) + if (logical || !replication) { PGresult *res; diff --git a/src/backend/replication/logical/slotsync.c b/src/backend/replication/logical/slotsync.c index 36773cfe73..0ee08c3976 100644 --- a/src/backend/replication/logical/slotsync.c +++ b/src/backend/replication/logical/slotsync.c @@ -1215,6 +1215,12 @@ ReplSlotSyncWorkerMain(int argc, char *argv[]) */ sigprocmask(SIG_SETMASK, &UnBlockSig, NULL); + /* + * Set always-secure search path, so malicious users can't redirect user + * code (e.g. operators). + */ + SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE); + dbname = CheckAndGetDbnameFromConninfo(); /* -- 2.34.1