summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Tag 7.4.30REL7_4_30REL7_4_STABLEMarc G. Fournier2010-10-015-17/+17
|
* Use a separate interpreter for each calling SQL userid in plperl and pltcl.Tom Lane2010-09-306-378/+635
| | | | | | | | | | | | | | | | | | | | | | | | | There are numerous methods by which a Perl or Tcl function can subvert the behavior of another such function executed later; for example, by redefining standard functions or operators called by the target function. If the target function is SECURITY DEFINER, or is called by such a function, this means that any ordinary SQL user with Perl or Tcl language usage rights can do essentially anything with the privileges of the target function's owner. To close this security hole, create a separate Perl or Tcl interpreter for each SQL userid under which plperl or pltcl functions are executed within a session. However, all plperlu or pltclu functions run within a session still share a single interpreter, since they all execute at the trust level of a database superuser anyway. Note: this change results in a functionality loss when libperl has been built without the "multiplicity" option: it's no longer possible to call plperl functions under different userids in one session, since such a libperl can't support multiple interpreters in one process. However, such a libperl already failed to support concurrent use of plperl and plperlu, so it's likely that few people use such versions with Postgres. Security: CVE-2010-3433
* Translation updates for 7.4.30Peter Eisentraut2010-09-3014-11486/+11645
|
* Update release notes for releases 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22,Tom Lane2010-09-301-2/+99
| | | | 8.0.26, and 7.4.30.
* Further fixes to the pg_get_expr() security fix in back branches.Tom Lane2010-09-251-24/+56
| | | | | | | It now emerges that the JDBC driver expects to be able to use pg_get_expr() on an output of a sub-SELECT. So extend the check logic to be able to recurse into a sub-SELECT to see if the argument is ultimately coming from an appropriate column. Per report from Thomas Kellerer.
* Still more .gitignore cleanup.Tom Lane2010-09-242-4/+0
| | | | | Fix overly-enthusiastic ignores, as identified by git ls-files -i --exclude-standard
* Prevent show_session_authorization from crashing when session_authorizationTom Lane2010-09-231-0/+4
| | | | | | | | | | | | | | | hasn't been set. The only known case where this can happen is when show_session_authorization is invoked in an autovacuum process, which is possible if an index function calls it, as for example in bug #5669 from Andrew Geery. We could perhaps try to return a sensible value, such as the name of the cluster-owning superuser; but that seems like much more trouble than the case is worth, and in any case it could create new possible failure modes. Simply returning an empty string seems like the most appropriate fix. Back-patch to all supported versions, even those before autovacuum, just in case there's another way to provoke this crash.
* Another missing .gitignore entry ...Tom Lane2010-09-231-0/+1
|
* More fixes for libpq's .gitignore file.Tom Lane2010-09-221-9/+10
| | | | | | The previous patches failed to cover a lot of symlinks that are only added in platform-specific cases. Make the lists match what's in the Makefile for each branch.
* Do some copy-editing on the Git usage docs.Tom Lane2010-09-221-20/+24
|
* Fix documentation gitignore for pre-9.0 doc build methods.Tom Lane2010-09-221-7/+21
|
* Some more gitignore cleanups: cover contrib and PL regression test outputs.Tom Lane2010-09-2237-1/+79
| | | | | Also do some further work in the back branches, where quite a bit wasn't covered by Magnus' original back-patch.
* Remove anonymous cvs instructions, and replace them with instructionsMagnus Hagander2010-09-227-895/+103
| | | | for git. Change other references from cvs to git as well.
* Convert cvsignore to gitignore, and add .gitignore for build targets.Magnus Hagander2010-09-2281-16/+216
|
* Back-patch replacement of README.CVS with README.git.Tom Lane2010-09-212-7/+7
| | | | In older branches, also git-ify the "make distdir" rule.
* Backpatch some blatant spelling mistakesPeter Eisentraut2010-08-171-2/+2
|
* Arrange to fsync the contents of lockfiles (both postmaster.pid and theTom Lane2010-08-161-1/+3
| | | | | | | | | | socket lockfile) when writing them. The lack of an fsync here may well explain two different reports we've seen of corrupted lockfile contents, which doesn't particularly bother the running server but can prevent a new server from starting if the old one crashes. Per suggestion from Alvaro. Back-patch to all supported versions.
* Fix psql's copy of utf2ucs() to match the backend's copy exactly;Tom Lane2010-08-161-10/+2
| | | | | | | | | | in particular, propagate a fix in the test to see whether a UTF8 character has length 4 bytes. This is likely of little real-world consequence because 5-or-more-byte UTF8 sequences are not supported by Postgres nor seen anywhere in the wild, but still we may as well get it right. Problem found by Joseph Adams. Bug is aboriginal, so back-patch all the way.
* Fix one more incorrect errno definition in the ECPG manual.Robert Haas2010-08-111-2/+2
| | | | Again, back-patch all the way to 7.4.
* Fix incorrect errno definitions in ECPG manual.Robert Haas2010-08-111-5/+5
| | | | | | | ecpgerrno.h hasn't materially changed since PostgreSQL 7.4, so this has been wrong for a very long time. Back-patch all the way. Satoshi Nagayasu
* Fix incorrect logic in plpgsql for cleanup after evaluation of non-simpleTom Lane2010-08-093-2/+80
| | | | | | | | | | | | | expressions. We need to deal with this when handling subscripts in an array assignment, and also when catching an exception. In an Assert-enabled build these omissions led to Assert failures, but I think in a normal build the only consequence would be short-term memory leakage; which may explain why this wasn't reported from the field long ago. Back-patch to all supported versions. 7.4 doesn't have exceptions, but otherwise these bugs go all the way back. Heikki Linnakangas and Tom Lane
* Improved version of patch to protect pg_get_expr() against misuse:Tom Lane2010-07-304-93/+135
| | | | | | | | | | look through join alias Vars to avoid breaking join queries, and move the test to someplace where it will catch more possible ways of calling a function. We still ought to throw away the whole thing in favor of a data-type-based solution, but that's not feasible in the back branches. Completion of back-port of my patch of yesterday.
* Avoid an Assert failure in deconstruct_array() by making get_attstatsslot()Tom Lane2010-07-091-5/+17
| | | | | | | | | | | | | | | | use the actual element type of the array it's disassembling, rather than trusting the type OID passed in by its caller. This is needed because sometimes the planner passes in a type OID that's only binary-compatible with the target column's type, rather than being an exact match. Per an example from Bernd Helmle. Possibly we should refactor get_attstatsslot/free_attstatsslot to not expect the caller to supply type ID data at all, but for now I'll just do the minimum-change fix. Back-patch to 7.4. Bernd's test case only crashes back to 8.0, but since these subroutines are the same in 7.4, I suspect there may be variant cases that would crash 7.4 as well.
* Fix "cannot handle unplanned sub-select" error that can occur when aTom Lane2010-07-083-2/+54
| | | | | | | | | sub-select contains a join alias reference that expands into an expression containing another sub-select. Per yesterday's report from Merlin Moncure and subsequent off-list investigation. Back-patch to 7.4. Older versions didn't attempt to flatten sub-selects in ways that would trigger this problem.
* The previous fix in CVS HEAD and 8.4 for handling the case where a cursorHeikki Linnakangas2010-07-053-7/+58
| | | | | | | | | | | being used in a PL/pgSQL FOR loop is closed was inadequate, as Tom Lane pointed out. The bug affects FOR statement variants too, because you can close an implicitly created cursor too by guessing the "<unnamed portal X>" name created for it. To fix that, "pin" the portal to prevent it from being dropped while it's being used in a PL/pgSQL FOR loop. Backpatch all the way to 7.4 which is the oldest supported version.
* Fix assorted misstatements and poor wording in the descriptions of the I/OTom Lane2010-07-031-22/+41
| | | | | | | | | formats for geometric types. Per bug #5536 from Jon Strait, and my own testing. Back-patch to all supported branches, since this doco has been wrong right along -- we certainly haven't changed the I/O behavior of these types in many years.
* stringToNode() and deparse_expression_pretty() crash on invalid input,Heikki Linnakangas2010-06-303-3/+105
| | | | | | | | | | but we have nevertheless exposed them to users via pg_get_expr(). It would be too much maintenance effort to rigorously check the input, so put a hack in place instead to restrict pg_get_expr() so that the argument must come from one of the system catalog columns known to contain valid expressions. Per report from Rushabh Lathia. Backpatch to 7.4 which is the oldest supported version at the moment.
* Fix dblink_build_sql_insert() and related functions to handle droppedTom Lane2010-06-153-38/+97
| | | | | | | | columns correctly. In passing, get rid of some dead logic in the underlying get_sql_insert() etc functions --- there is no caller that will pass null value-arrays to them. Per bug report from Robert Voinea.
* Consolidate and improve checking of key-column-attnum arguments forTom Lane2010-06-152-126/+93
| | | | | | | | | | dblink_build_sql_insert() and related functions. In particular, be sure to reject references to dropped and out-of-range column numbers. The numbers are still interpreted as physical column numbers, though, for backward compatibility. This patch replaces Joe's patch of 2010-02-03, which handled only some aspects of the problem.
* Rearrange dblink's dblink_build_sql_insert() and related routines to open andTom Lane2010-06-141-122/+87
| | | | | | | | | | | lock the target relation just once per SQL function call. The original coding obtained and released lock several times per call. Aside from saving a not-insignificant number of cycles, this eliminates possible race conditions if someone tries to modify the relation's schema concurrently. Also centralize locking and permission-checking logic. Problem noted while investigating a trouble report from Robert Voinea --- his problem is still to be fixed, though.
* Fix incorrect change in dblink introduced by the previous commitItagaki Takahiro2010-06-101-2/+2
| | | | "Fix connection leak in dblink".
* Fix connection leak in dblink when dblink_connect() or dblink_connect_u()Itagaki Takahiro2010-06-091-0/+5
| | | | | | end with "duplicate connection name" errors. Backported to release 7.4.
* > Follow up a visit from the style police.Andrew Dunstan2010-05-171-3/+3
|
* Fix longstanding typo in V1 calling conventions documentation.Robert Haas2010-05-161-2/+2
| | | | Erik Rijkers
* Improve documentation of pg_restore's -l and -L switches to point out theirTom Lane2010-05-151-16/+18
| | | | | interactions with filtering switches, such as -n and -t. Per a complaint from Russell Smith.
* tag 7.4.29REL7_4_29Marc G. Fournier2010-05-145-18/+18
|
* Update release notes with security issues.Tom Lane2010-05-131-1/+41
| | | | Security: CVE-2010-1169, CVE-2010-1170
* Use an entity instead of non-ASCII letter. Thom BrownTom Lane2010-05-131-2/+2
|
* Prevent PL/Tcl from loading the "unknown" module from pltcl_modules unlessTom Lane2010-05-132-70/+142
| | | | | | | | | | | | | | | | | | | that is a regular table or view owned by a superuser. This prevents a trojan horse attack whereby any unprivileged SQL user could create such a table and insert code into it that would then get executed in other users' sessions whenever they call pltcl functions. Worse yet, because the code was automatically loaded into both the "normal" and "safe" interpreters at first use, the attacker could execute unrestricted Tcl code in the "normal" interpreter without there being any pltclu functions anywhere, or indeed anyone else using pltcl at all: installing pltcl is sufficient to open the hole. Change the initialization logic so that the "unknown" code is only loaded into an interpreter when the interpreter is first really used. (That doesn't add any additional security in this particular context, but it seems a prudent change, and anyway the former behavior violated the principle of least astonishment.) Security: CVE-2010-1170
* Abandon the use of Perl's Safe.pm to enforce restrictions in plperl, as it isAndrew Dunstan2010-05-134-78/+493
| | | | | | | | | | | | | | | | | | | | | | | | fundamentally insecure. Instead apply an opmask to the whole interpreter that imposes restrictions on unsafe operations. These restrictions are much harder to subvert than is Safe.pm, since there is no container to be broken out of. Backported to release 7.4. In releases 7.4, 8.0 and 8.1 this also includes the necessary backporting of the two interpreters model for plperl and plperlu adopted in release 8.2. In versions 8.0 and up, the use of Perl's POSIX module to undo its locale mangling on Windows has become insecure with these changes, so it is replaced by our own routine, which is also faster. Nice side effects of the changes include that it is now possible to use perl's "strict" pragma in a natural way in plperl, and that perl's $a and $b variables now work as expected in sort routines, and that function compilation is significantly faster. Tim Bunce and Andrew Dunstan, with reviews from Alex Hunsaker and Alexey Klyukin. Security: CVE-2010-1169
* Translation updatePeter Eisentraut2010-05-136-13079/+13505
|
* Preliminary release notes for releases 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25,Tom Lane2010-05-121-1/+105
| | | | 7.4.29.
* Work around a subtle portability problem in use of printf %s format.Tom Lane2010-05-082-6/+38
| | | | | | | | | | | | | Depending on which spec you read, field widths and precisions in %s may be counted either in bytes or characters. Our code was assuming bytes, which is wrong at least for glibc's implementation, and in any case libc might have a different idea of the prevailing encoding than we do. Hence, for portable results we must avoid using anything more complex than just "%s" unless the string to be printed is known to be all-ASCII. This patch fixes the cases I could find, including the psql formatting failure reported by Hernan Gonzalez. In HEAD only, I also added comments to some places where it appears safe to continue using "%.*s".
* Add code to InternalIpcMemoryCreate() to handle the case where shmget()Tom Lane2010-05-011-1/+43
| | | | | | | | | | | | | | | | returns EINVAL for an existing shared memory segment. Although it's not terribly sensible, that behavior does meet the POSIX spec because EINVAL is the appropriate error code when the existing segment is smaller than the requested size, and the spec explicitly disclaims any particular ordering of error checks. Moreover, it does in fact happen on OS X and probably other BSD-derived kernels. (We were able to talk NetBSD into changing their code, but purging that behavior from the wild completely seems unlikely to happen.) We need to distinguish collision with a pre-existing segment from invalid size request in order to behave sensibly, so it's worth some extra code here to get it right. Per report from Gavin Kistner and subsequent investigation. Back-patch to all supported versions, since any of them could get used with a kernel having the debatable behavior.
* Fix multiple memory leaks in PLy_spi_execute_fetch_result: it would leakTom Lane2010-04-301-6/+7
| | | | | | | | | | memory if the result had zero rows, and also if there was any sort of error while converting the result tuples into Python data. Reported and partially fixed by Andres Freund. Back-patch to all supported versions. Note: I haven't tested the 7.4 fix. 7.4's configure check for python is so obsolete it doesn't work on my current machines :-(. The logic change is pretty straightforward though.
* Sync perl's ppport.h on all branches back to 7.4 with recent update on HEAD, ↵Andrew Dunstan2010-04-031-196/+6974
| | | | ensuring we can build older branches with modern Perl installations.
* Ensure that contrib/pgstattuple functions respond to cancel interruptsTom Lane2010-04-021-1/+8
| | | | | | reasonably promptly, by adding CHECK_FOR_INTERRUPTS in the per-page loops. Tatsuhito Kasahara
* Prevent ALTER USER f RESET ALL from removing the settings that were put thereAlvaro Herrera2010-03-254-9/+135
| | | | | | | | by a superuser -- "ALTER USER f RESET setting" already disallows removing such a setting. Apply the same treatment to ALTER DATABASE d RESET ALL when run by a database owner that's not superuser.
* Clear error_context_stack and debug_query_string at the beginning of proc_exit,Tom Lane2010-03-201-1/+15
| | | | | | | | | | | | | so that we won't try to attach any context printouts to messages that get emitted while exiting. Per report from Dennis Koegel, the context functions won't necessarily work after we've started shutting down the backend, and it seems possible that debug_query_string could be pointing at freed storage as well. The context information doesn't seem particularly relevant to such messages anyway, so there's little lost by suppressing it. Back-patch to all supported branches. I can only demonstrate a crash with log_disconnections messages back to 8.1, but the risk seems real in 8.0 and before anyway.
* Typo fixes.Magnus Hagander2010-03-171-2/+2
| | | | Fujii Masao
View Lorry Controller Status