1. 12 Dec, 2009 1 commit
    • Robert Haas's avatar
      Export ExplainBeginOutput() and ExplainEndOutput() for auto_explain. · 02490d46
      Robert Haas authored
      Without these functions, anyone outside of explain.c can't actually use
      ExplainPrintPlan, because the ExplainState won't be initialized properly.
      The user-visible result of this was a crash when using auto_explain with
      the JSON output format.
      
      Report by Euler Taveira de Oliveira.  Analysis by Tom Lane.  Patch by me.
      02490d46
  2. 11 Dec, 2009 5 commits
  3. 10 Dec, 2009 4 commits
  4. 09 Dec, 2009 5 commits
    • Tom Lane's avatar
      Prevent indirect security attacks via changing session-local state within · 62aba765
      Tom Lane authored
      an allegedly immutable index function.  It was previously recognized that
      we had to prevent such a function from executing SET/RESET ROLE/SESSION
      AUTHORIZATION, or it could trivially obtain the privileges of the session
      user.  However, since there is in general no privilege checking for changes
      of session-local state, it is also possible for such a function to change
      settings in a way that might subvert later operations in the same session.
      Examples include changing search_path to cause an unexpected function to
      be called, or replacing an existing prepared statement with another one
      that will execute a function of the attacker's choosing.
      
      The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
      these threats, which are the same places previously deemed to need protection
      against the SET ROLE issue.  GUC changes are still allowed, since there are
      many useful cases for that, but we prevent security problems by forcing a
      rollback of any GUC change after completing the operation.  Other cases are
      handled by throwing an error if any change is attempted; these include temp
      table creation, closing a cursor, and creating or deleting a prepared
      statement.  (In 7.4, the infrastructure to roll back GUC changes doesn't
      exist, so we settle for rejecting changes of "search_path" in these contexts.)
      
      Original report and patch by Gurjeet Singh, additional analysis by
      Tom Lane.
      
      Security: CVE-2009-4136
      62aba765
    • Magnus Hagander's avatar
      Add notes about updating disk and shared memory size information in the · 7aeaa97d
      Magnus Hagander authored
      documentation when doing new major release.
      7aeaa97d
    • Magnus Hagander's avatar
      Update size references in installation instructions to be a bit · 2367d689
      Magnus Hagander authored
      more up-to-date with current versions.
      2367d689
    • Magnus Hagander's avatar
      Reject certificates with embedded NULLs in the commonName field. This stops · abf23ee8
      Magnus Hagander authored
      attacks where an attacker would put <attack>\0<propername> in the field and
      trick the validation code that the certificate was for <attack>.
      
      This is a very low risk attack since it reuqires the attacker to trick the
      CA into issuing a certificate with an incorrect field, and the common
      PostgreSQL deployments are with private CAs, and not external ones. Also,
      default mode in 8.4 does not do any name validation, and is thus also not
      vulnerable - but the higher security modes are.
      
      Backpatch all the way. Even though versions 8.3.x and before didn't have
      certificate name validation support, they still exposed this field for
      the user to perform the validation in the application code, and there
      is no way to detect this problem through that API.
      
      Security: CVE-2009-4034
      abf23ee8
    • Tom Lane's avatar
      Update time zone data files to tzdata release 2009s: DST law changes in · 65ed2039
      Tom Lane authored
      Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine,
      Samoa, Syria.  Also historical corrections for Hong Kong.
      65ed2039
  5. 08 Dec, 2009 2 commits
  6. 07 Dec, 2009 2 commits
  7. 06 Dec, 2009 1 commit
  8. 05 Dec, 2009 2 commits
    • Peter Eisentraut's avatar
      Speed up information schema privilege views · 36f887c4
      Peter Eisentraut authored
      Instead of expensive cross joins to resolve the ACL, add table-returning
      function aclexplode() that expands the ACL into a useful form, and join
      against that.
      
      Also, implement the role_*_grants views as a thin layer over the respective
      *_privileges views instead of essentially repeating the same code twice.
      
      fixes bug #4596
      
      by Joachim Wieland, with cleanup by me
      36f887c4
    • Peter Eisentraut's avatar
      Information schema documentation · 636bac6e
      Peter Eisentraut authored
      Add a sentence of documentation about the differences between the
      *_privileges and the role_*_grants views.
      636bac6e
  9. 03 Dec, 2009 1 commit
    • Heikki Linnakangas's avatar
      Fix bug in temporary file management with subtransactions. A cursor opened · ab3148b7
      Heikki Linnakangas authored
      in a subtransaction stays open even if the subtransaction is aborted, so
      any temporary files related to it must stay alive as well. With the patch,
      we use ResourceOwners to track open temporary files and don't automatically
      close them at subtransaction end (though in the normal case temporary files
      are registered with the subtransaction resource owner and will therefore be
      closed).
      
      At end of top transaction, we still check that there's no temporary files
      marked as close-at-end-of-transaction open, but that's now just a debugging
      cross-check as the resource owner cleanup should've closed them already.
      ab3148b7
  10. 02 Dec, 2009 5 commits
  11. 01 Dec, 2009 5 commits
    • Bruce Momjian's avatar
      Enable thread safety · 925b32bb
      Bruce Momjian authored
      Enable thread safety on all platforms.  This will either be followed up
      by a more extensive patch, or reverted, depending on the build farm
      results.
      925b32bb
    • Bruce Momjian's avatar
      psql -f - · b291c0fb
      Bruce Momjian authored
      Adjust psql -f - to behave like a normal file and honor the -1 flag.
      
      Report from Robert Haas
      b291c0fb
    • Tom Lane's avatar
      Teach the regular expression functions to do case-insensitive matching and · 0d323425
      Tom Lane authored
      locale-dependent character classification properly when the database encoding
      is UTF8.
      
      The previous coding worked okay in single-byte encodings, or in any case for
      ASCII characters, but failed entirely on multibyte characters.  The fix
      assumes that the <wctype.h> functions use Unicode code points as the wchar
      representation for Unicode, ie, wchar matches pg_wchar.
      
      This is only a partial solution, since we're still stupid about non-ASCII
      characters in multibyte encodings other than UTF8.  The practical effect
      of that is limited, however, since those cases are generally Far Eastern
      glyphs for which concepts like case-folding don't apply anyway.  Certainly
      all or nearly all of the field reports of problems have been about UTF8.
      A more general solution would require switching to the platform's wchar
      representation for all regex operations; which is possible but would have
      substantial disadvantages.  Let's try this and see if it's sufficient in
      practice.
      0d323425
    • Bruce Momjian's avatar
      Revert due to Tom's concerns: · ef51395e
      Bruce Momjian authored
      Add ProcessUtility_hook() to handle all DDL to
      contrib/pg_stat_statements.
      ef51395e
    • Bruce Momjian's avatar
      ProcessUtility_hook: · d85cb272
      Bruce Momjian authored
      Add ProcessUtility_hook() to handle all DDL to contrib/pg_stat_statements.
      
      Itagaki Takahiro
      d85cb272
  12. 30 Nov, 2009 5 commits
  13. 29 Nov, 2009 2 commits