upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-05-21 09:48:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
postgresql/src/backend
History
Noah Misch 248a433cd1 Fix SQL injection in logical replication origin checks. 
ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolates schema and
relation names into SQL without quoting them.  A crafted subscriber
relation name can inject arbitrary SQL on the publisher.  Test such a
name.  Back-patch to v16, where commit
8756930190 first appeared.

Reported-by: Pavel Kohout <pavel.kohout@aisle.com>
Author: Pavel Kohout <pavel.kohout@aisle.com>
Reviewed-by: Nathan Bossart <nathandbossart@gmail.com>
Backpatch-through: 16
Security: CVE-2026-6638
2026-05-11 05:13:50 -07:00
..
access Fix multixact backwards-compatibility with CHECKPOINT race condition 2026-03-23 12:02:27 +02:00
archive Redesign archive modules 2023-02-17 14:26:42 +09:00
backup Fix error message related to end TLI in backup manifest 2026-01-18 17:25:01 +09:00
bootstrap Fix CREATE INDEX progress reporting for multi-level partitioning. 2023-03-25 15:34:03 -04:00
catalog Don't call CheckAttributeType() with InvalidOid on dropped cols 2026-04-23 21:33:02 +03:00
commands Fix SQL injection in logical replication origin checks. 2026-05-11 05:13:50 -07:00
executor Fix incorrect logic for hashed IN / NOT IN with non-strict operators 2026-04-24 14:04:31 +12:00
foreign Restrict accesses to non-system views and foreign tables during pg_dump. 2024-08-05 06:05:28 -07:00
jit jit: No backport::SectionMemoryManager for LLVM 22. 2026-04-03 15:01:56 +13:00
lib Accommodate very large dshash tables. 2024-12-17 15:24:45 -06:00
libpq Apply timingsafe_bcmp() in authentication paths 2026-05-11 05:13:49 -07:00
main Avoid possible crash within libsanitizer. 2025-11-05 11:09:30 -05:00
nodes Build whole-row Vars the same way during parsing and planning. 2025-03-12 11:47:19 -04:00
optimizer Consider collation when proving subquery uniqueness 2026-05-05 10:31:17 +09:00
parser Fix attnum remapping in generateClonedExtStatsStmt() 2026-04-30 11:14:26 -04:00
partitioning Fix creation of partition descriptor during concurrent detach+drop 2024-08-12 18:17:56 -04:00
po Translation updates 2026-05-11 13:07:36 +02:00
port Don't treat EINVAL from semget() as a hard failure. 2025-08-13 11:59:47 -04:00
postmaster Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket() 2026-05-11 05:13:49 -07:00
regex Harden our regex engine against integer overflow in size calculations. 2026-05-11 05:13:49 -07:00
replication Flush statistics during idle periods in parallel apply worker. 2026-04-20 10:13:55 +05:30
rewrite Fix incorrect NEW references to generated columns in rule rewriting 2026-04-21 14:33:07 +09:00
snowball Avoid null pointer dereference crash after OOM in Snowball stemmers. 2025-02-18 21:23:59 -05:00
statistics Fix set of issues with extended statistics on expressions 2026-03-02 09:38:44 +09:00
storage Make palloc_array() and friends safe against integer overflow. 2026-05-11 05:13:49 -07:00
tcop Check for CREATE privilege on the schema in CREATE STATISTICS. 2025-11-10 09:00:00 -06:00
tsearch Fix overflows with ts_headline() 2026-05-11 05:13:49 -07:00
utils Fix assorted places that need to use palloc_array(). 2026-05-11 05:13:49 -07:00
.gitignore
common.mk Blind attempt to fix LLVM dependency in the backend 2022-09-15 10:53:48 +07:00
Makefile Fix make headerscheck 2024-04-27 11:38:41 +07:00
meson.build Add win32ver data to meson-built postgres.exe. 2023-06-12 07:40:38 -07:00
nls.mk Add missing gettext triggers 2023-05-10 13:51:51 +02:00