Register Server: an arbitrary SQL query can be fired while setting the role #6253
Description
Reproduction steps:
- Register the server
- Fill in the Host name/address, port, maintenance database, and username
- Enter any role that exists in the system followed by arbitrary
SQL commands, eg.
joe; RESET ROLE; CREATE TABLE pwned()
What should happen:
Error: role "joe; RESET ROLE; CREATE TABLE pwned()" does not exist
What actually happens:
Connection to the database with the login role rather than the
intended role and a new "pwned" table in the default schema.