3 files changed, 28 insertions, 16 deletions

diff --git a/src/backend/access/transam/xlogrecovery.c b/src/backend/access/transam/xlogrecovery.c
index d73a49b3e81..9d907bf0e45 100644
--- a/src/backend/access/transam/xlogrecovery.c
+++ b/src/backend/access/transam/xlogrecovery.c
@@ -1472,13 +1472,14 @@ FinishWalRecovery(void)
 	 * Shutdown the slot sync worker to drop any temporary slots acquired by
 	 * it and to prevent it from keep trying to fetch the failover slots.
 	 *
-	 * We do not update the 'synced' column from true to false here, as any
-	 * failed update could leave 'synced' column false for some slots. This
-	 * could cause issues during slot sync after restarting the server as a
-	 * standby. While updating the 'synced' column after switching to the new
-	 * timeline is an option, it does not simplify the handling for the
-	 * 'synced' column. Therefore, we retain the 'synced' column as true after
-	 * promotion as it may provide useful information about the slot origin.
+	 * We do not update the 'synced' column in 'pg_replication_slots' system
+	 * view from true to false here, as any failed update could leave 'synced'
+	 * column false for some slots. This could cause issues during slot sync
+	 * after restarting the server as a standby. While updating the 'synced'
+	 * column after switching to the new timeline is an option, it does not
+	 * simplify the handling for the 'synced' column. Therefore, we retain the
+	 * 'synced' column as true after promotion as it may provide useful
+	 * information about the slot origin.
 	 */
 	ShutDownSlotSync();
 
diff --git a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
index 04271ee7032..1519b27adca 100644
--- a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
+++ b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
@@ -271,7 +271,11 @@ libpqrcv_connect(const char *conninfo, bool replication, bool logical,
 				 errhint("Target server's authentication method must be changed, or set password_required=false in the subscription parameters.")));
 	}
 
-	if (logical)
+	/*
+	 * Set always-secure search path for the cases where the connection is
+	 * used to run SQL queries, so malicious users can't get control.
+	 */
+	if (!replication || logical)
 	{
 		PGresult   *res;
 
diff --git a/src/backend/replication/logical/slotsync.c b/src/backend/replication/logical/slotsync.c
index 36773cfe73f..8ecb85b86a3 100644
--- a/src/backend/replication/logical/slotsync.c
+++ b/src/backend/replication/logical/slotsync.c
@@ -105,10 +105,10 @@ bool		sync_replication_slots = false;
  * (within a MIN/MAX range) according to slot activity. See
  * wait_for_slot_activity() for details.
  */
-#define MIN_WORKER_NAPTIME_MS  200
-#define MAX_WORKER_NAPTIME_MS  30000	/* 30s */
+#define MIN_SLOTSYNC_WORKER_NAPTIME_MS  200
+#define MAX_SLOTSYNC_WORKER_NAPTIME_MS  30000	/* 30s */
 
-static long sleep_ms = MIN_WORKER_NAPTIME_MS;
+static long sleep_ms = MIN_SLOTSYNC_WORKER_NAPTIME_MS;
 
 /* The restart interval for slot sync work used by postmaster */
 #define SLOTSYNC_RESTART_INTERVAL_SEC 10
@@ -924,12 +924,9 @@ ValidateSlotSyncParams(int elevel)
 	 * in this case regardless of elevel provided by caller.
 	 */
 	if (wal_level < WAL_LEVEL_LOGICAL)
-	{
 		ereport(ERROR,
 				errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 				errmsg("slot synchronization requires wal_level >= \"logical\""));
-		return false;
-	}
 
 	/*
 	 * A physical replication slot(primary_slot_name) is required on the
@@ -1082,7 +1079,7 @@ wait_for_slot_activity(bool some_slot_updated)
 		 * No slots were updated, so double the sleep time, but not beyond the
 		 * maximum allowable value.
 		 */
-		sleep_ms = Min(sleep_ms * 2, MAX_WORKER_NAPTIME_MS);
+		sleep_ms = Min(sleep_ms * 2, MAX_SLOTSYNC_WORKER_NAPTIME_MS);
 	}
 	else
 	{
@@ -1090,7 +1087,7 @@ wait_for_slot_activity(bool some_slot_updated)
 		 * Some slots were updated since the last sleep, so reset the sleep
 		 * time.
 		 */
-		sleep_ms = MIN_WORKER_NAPTIME_MS;
+		sleep_ms = MIN_SLOTSYNC_WORKER_NAPTIME_MS;
 	}
 
 	rc = WaitLatch(MyLatch,
@@ -1215,6 +1212,16 @@ ReplSlotSyncWorkerMain(int argc, char *argv[])
 	 */
 	sigprocmask(SIG_SETMASK, &UnBlockSig, NULL);
 
+	/*
+	 * Set always-secure search path, so malicious users can't redirect user
+	 * code (e.g. operators).
+	 *
+	 * It's not strictly necessary since we won't be scanning or writing to
+	 * any user table locally, but it's good to retain it here for added
+	 * precaution.
+	 */
+	SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
+
 	dbname = CheckAndGetDbnameFromConninfo();
 
 	/*