Fixups for commit 93db6cbda0.

Ensure to set always-secure search path for both local and remote connections during slot synchronization, so that malicious users can't redirect user code (e.g. operators). In the passing, improve the name of define, remove spurious return statement, and a minor change in one of the comments. Author: Bertrand Drouvot and Shveta Malik Reviewed-by: Amit Kapila, Peter Smith Discussion: https://postgr.es/m/514f6f2f-6833-4539-39f1-96cd1e011f23@enterprisedb.com Discussion: https://postgr.es/m/ZdcejBDCr+wlVGnO@ip-10-97-1-34.eu-west-3.compute.internal Discussion: https://postgr.es/m/CAJpy0uBNP=nrkNJkJSfF=jSocEh8vU2Owa8Rtpi=63fG=SvfVQ@mail.gmail.com
2025-07-27 12:41:57 +03:00 · 2024-02-29 09:45:20 +05:30
parent ada87a4d95
commit b3f6b14cf4
4 changed files with 82 additions and 16 deletions
--- a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
+++ b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
@ -271,7 +271,11 @@ libpqrcv_connect(const char *conninfo, bool replication, bool logical,
 				 errhint("Target server's authentication method must be changed, or set password_required=false in the subscription parameters.")));
 	}

-	if (logical)
+	/*
+	 * Set always-secure search path for the cases where the connection is
+	 * used to run SQL queries, so malicious users can't get control.
+	 */
+	if (!replication || logical)
 	{
 		PGresult   *res;

--- a/src/backend/replication/logical/slotsync.c
+++ b/src/backend/replication/logical/slotsync.c
@ -105,10 +105,10 @@ bool		sync_replication_slots = false;
 * (within a MIN/MAX range) according to slot activity. See
 * wait_for_slot_activity() for details.
 */
-#define MIN_WORKER_NAPTIME_MS  200
-#define MAX_WORKER_NAPTIME_MS  30000	/* 30s */
+#define MIN_SLOTSYNC_WORKER_NAPTIME_MS  200
+#define MAX_SLOTSYNC_WORKER_NAPTIME_MS  30000	/* 30s */

-static long sleep_ms = MIN_WORKER_NAPTIME_MS;
+static long sleep_ms = MIN_SLOTSYNC_WORKER_NAPTIME_MS;

 /* The restart interval for slot sync work used by postmaster */
 #define SLOTSYNC_RESTART_INTERVAL_SEC 10
@ -924,12 +924,9 @@ ValidateSlotSyncParams(int elevel)
 	 * in this case regardless of elevel provided by caller.
 	 */
 	if (wal_level < WAL_LEVEL_LOGICAL)
-	{
 		ereport(ERROR,
 				errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 				errmsg("slot synchronization requires wal_level >= \"logical\""));
-		return false;
-	}

 	/*
 	 * A physical replication slot(primary_slot_name) is required on the
@ -1082,7 +1079,7 @@ wait_for_slot_activity(bool some_slot_updated)
 		 * No slots were updated, so double the sleep time, but not beyond the
 		 * maximum allowable value.
 		 */
-		sleep_ms = Min(sleep_ms * 2, MAX_WORKER_NAPTIME_MS);
+		sleep_ms = Min(sleep_ms * 2, MAX_SLOTSYNC_WORKER_NAPTIME_MS);
 	}
 	else
 	{
@ -1090,7 +1087,7 @@ wait_for_slot_activity(bool some_slot_updated)
 		 * Some slots were updated since the last sleep, so reset the sleep
 		 * time.
 		 */
-		sleep_ms = MIN_WORKER_NAPTIME_MS;
+		sleep_ms = MIN_SLOTSYNC_WORKER_NAPTIME_MS;
 	}

 	rc = WaitLatch(MyLatch,
@ -1215,6 +1212,16 @@ ReplSlotSyncWorkerMain(int argc, char *argv[])
 	 */
 	sigprocmask(SIG_SETMASK, &UnBlockSig, NULL);

+	/*
+	 * Set always-secure search path, so malicious users can't redirect user
+	 * code (e.g. operators).
+	 *
+	 * It's not strictly necessary since we won't be scanning or writing to
+	 * any user table locally, but it's good to retain it here for added
+	 * precaution.
+	 */
+	SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
+
 	dbname = CheckAndGetDbnameFromConninfo();

 	/*