1. 01 Mar, 2018 6 commits
  2. 28 Feb, 2018 10 commits
  3. 27 Feb, 2018 9 commits
  4. 26 Feb, 2018 8 commits
    • Alvaro Herrera's avatar
      Update PartitionTupleRouting struct comment · 364de256
      Alvaro Herrera authored
      Small review on edd44738.
      
      Discussion: https://postgr.es/m/20180222165315.k27qfn4goskhoswj@alvherre.pgsql
      Reviewed-by: Robert Haas, Amit Langote
      364de256
    • Tom Lane's avatar
      Schema-qualify references in test_ddl_deparse test script. · fb533e45
      Tom Lane authored
      This omission seems to be what is causing buildfarm failures on crake.
      
      Security: CVE-2018-1058
      fb533e45
    • Tom Lane's avatar
      Last-minute updates for release notes. · 8af38556
      Tom Lane authored
      Security: CVE-2018-1058
      8af38556
    • Peter Eisentraut's avatar
      Fix typo in internal error message · 964bddf1
      Peter Eisentraut authored
      964bddf1
    • Noah Misch's avatar
      Document security implications of search_path and the public schema. · 5770172c
      Noah Misch authored
      The ability to create like-named objects in different schemas opens up
      the potential for users to change the behavior of other users' queries,
      maliciously or accidentally.  When you connect to a PostgreSQL server,
      you should remove from your search_path any schema for which a user
      other than yourself or superusers holds the CREATE privilege.  If you do
      not, other users holding CREATE privilege can redefine the behavior of
      your commands, causing them to perform arbitrary SQL statements under
      your identity.  "SET search_path = ..." and "SELECT
      pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
      can use either as the first command of a session.  As special
      exceptions, the following client applications behave as documented
      regardless of search_path settings and schema privileges: clusterdb
      createdb createlang createuser dropdb droplang dropuser ecpg (not
      programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
      pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
      pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
      pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
      vacuumlo.  Not included are core client programs that run user-specified
      SQL commands, namely psql and pgbench.  PostgreSQL encourages non-core
      client applications to do likewise.
      
      Document this in the context of libpq connections, psql connections,
      dblink connections, ECPG connections, extension packaging, and schema
      usage patterns.  The principal defense for applications is "SELECT
      pg_catalog.set_config('search_path', '', false)", and the principal
      defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
      Either one is sufficient to prevent attack.  After a REVOKE, consider
      auditing the public schema for objects named like pg_catalog objects.
      
      Authors of SECURITY DEFINER functions use some of the same defenses, and
      the CREATE FUNCTION reference page already covered them thoroughly.
      This is a good opportunity to audit SECURITY DEFINER functions for
      robust security practice.
      
      Back-patch to 9.3 (all supported versions).
      
      Reviewed by Michael Paquier and Jonathan S. Katz.  Reported by Arseniy
      Sharoglazov.
      
      Security: CVE-2018-1058
      5770172c
    • Noah Misch's avatar
      Empty search_path in Autovacuum and non-psql/pgbench clients. · 582edc36
      Noah Misch authored
      This makes the client programs behave as documented regardless of the
      connect-time search_path and regardless of user-created objects.  Today,
      a malicious user with CREATE permission on a search_path schema can take
      control of certain of these clients' queries and invoke arbitrary SQL
      functions under the client identity, often a superuser.  This is
      exploitable in the default configuration, where all users have CREATE
      privilege on schema "public".
      
      This changes behavior of user-defined code stored in the database, like
      pg_index.indexprs and pg_extension_config_dump().  If they reach code
      bearing unqualified names, "does not exist" or "no schema has been
      selected to create in" errors might appear.  Users may fix such errors
      by schema-qualifying affected names.  After upgrading, consider watching
      server logs for these errors.
      
      The --table arguments of src/bin/scripts clients have been lax; for
      example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint.  That
      now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
      performs a checkpoint.
      
      Back-patch to 9.3 (all supported versions).
      
      Reviewed by Tom Lane, though this fix strategy was not his first choice.
      Reported by Arseniy Sharoglazov.
      
      Security: CVE-2018-1058
      582edc36
    • Tom Lane's avatar
      Avoid using unsafe search_path settings during dump and restore. · 3d2aed66
      Tom Lane authored
      Historically, pg_dump has "set search_path = foo, pg_catalog" when
      dumping an object in schema "foo", and has also caused that setting
      to be used while restoring the object.  This is problematic because
      functions and operators in schema "foo" could capture references meant
      to refer to pg_catalog entries, both in the queries issued by pg_dump
      and those issued during the subsequent restore run.  That could
      result in dump/restore misbehavior, or in privilege escalation if a
      nefarious user installs trojan-horse functions or operators.
      
      This patch changes pg_dump so that it does not change the search_path
      dynamically.  The emitted restore script sets the search_path to what
      was used at dump time, and then leaves it alone thereafter.  Created
      objects are placed in the correct schema, regardless of the active
      search_path, by dint of schema-qualifying their names in the CREATE
      commands, as well as in subsequent ALTER and ALTER-like commands.
      
      Since this change requires a change in the behavior of pg_restore
      when processing an archive file made according to this new convention,
      bump the archive file version number; old versions of pg_restore will
      therefore refuse to process files made with new versions of pg_dump.
      
      Security: CVE-2018-1058
      3d2aed66
    • Robert Haas's avatar
      Add a new upper planner relation for partially-aggregated results. · 3bf05e09
      Robert Haas authored
      Up until now, we've abused grouped_rel->partial_pathlist as a place to
      store partial paths that have been partially aggregate, but that's
      really not correct, because a partial path for a relation is supposed
      to be one which produces the correct results with the addition of only
      a Gather or Gather Merge node, and these paths also require a Finalize
      Aggregate step.  Instead, add a new partially_group_rel which can hold
      either partial paths (which need to be gathered and then have
      aggregation finalized) or non-partial paths (which only need to have
      aggregation finalized).  This allows us to reuse generate_gather_paths
      for partially_grouped_rel instead of writing new code, so that this
      patch actually basically no net new code while making things cleaner,
      simplifying things for pending patches for partition-wise aggregate.
      
      Robert Haas and Jeevan Chalke.  The larger patch series of which this
      patch is a part was also reviewed and tested by Antonin Houska,
      Rajkumar Raghuwanshi, David Rowley, Dilip Kumar, Konstantin Knizhnik,
      Pascal Legrand, Rafia Sabih, and me.
      
      Discussion: http://postgr.es/m/CA+TgmobrzFYS3+U8a_BCy3-hOvh5UyJbC18rEcYehxhpw5=ETA@mail.gmail.com
      Discussion: http://postgr.es/m/CA+TgmoZyQEjdBNuoG9-wC5GQ5GrO4544Myo13dVptvx+uLg9uQ@mail.gmail.com
      3bf05e09
  5. 25 Feb, 2018 2 commits
    • Tom Lane's avatar
      Un-break parallel pg_upgrade. · 5b570d77
      Tom Lane authored
      Commit b3f84012 changed pg_upgrade so that it'd actually drop and
      re-create the template1 and postgres databases in the new cluster.
      That works fine, serially.  With the -j option it's not so fine, because
      other per-database jobs might be launched while the template1 database is
      dropped.  Since they attempt to connect there to start up, kaboom.
      
      This is the cause of the intermittent failures buildfarm member jacana
      has been showing for the last month; evidently it is the only BF member
      configured to run the pg_upgrade test with parallelism enabled.
      
      Fix by processing template1 separately before we get into the parallel
      sub-job launch loop.  (We could alternatively have made the postgres DB
      be the special case, but it seems likely that template1 will contain
      less stuff and so we lose less parallelism with this choice.)
      5b570d77
    • Tom Lane's avatar
      1316417b
  6. 24 Feb, 2018 5 commits