1. 16 Aug, 2012 18 commits
  2. 15 Aug, 2012 13 commits
  3. 14 Aug, 2012 7 commits
    • Tom Lane's avatar
      e45ae401
    • Tom Lane's avatar
      Prevent access to external files/URLs via contrib/xml2's xslt_process(). · adc97d03
      Tom Lane authored
      libxslt offers the ability to read and write both files and URLs through
      stylesheet commands, thus allowing unprivileged database users to both read
      and write data with the privileges of the database server.  Disable that
      through proper use of libxslt's security options.
      
      Also, remove xslt_process()'s ability to fetch documents and stylesheets
      from external files/URLs.  While this was a documented "feature", it was
      long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
      capability, and rather than expend effort on trying to fix it, we're just
      going to summarily remove it.
      
      While the ability to write as well as read makes this security hole
      considerably worse than CVE-2012-3489, the problem is mitigated by the fact
      that xslt_process() is not available unless contrib/xml2 is installed,
      and the longstanding warnings about security risks from that should have
      discouraged prudent DBAs from installing it in security-exposed databases.
      
      Reported and fixed by Peter Eisentraut.
      
      Security: CVE-2012-3488
      adc97d03
    • Tom Lane's avatar
      Prevent access to external files/URLs via XML entity references. · 17351fce
      Tom Lane authored
      xml_parse() would attempt to fetch external files or URLs as needed to
      resolve DTD and entity references in an XML value, thus allowing
      unprivileged database users to attempt to fetch data with the privileges
      of the database server.  While the external data wouldn't get returned
      directly to the user, portions of it could be exposed in error messages
      if the data didn't parse as valid XML; and in any case the mere ability
      to check existence of a file might be useful to an attacker.
      
      The ideal solution to this would still allow fetching of references that
      are listed in the host system's XML catalogs, so that documents can be
      validated according to installed DTDs.  However, doing that with the
      available libxml2 APIs appears complex and error-prone, so we're not going
      to risk it in a security patch that necessarily hasn't gotten wide review.
      So this patch merely shuts off all access, causing any external fetch to
      silently expand to an empty string.  A future patch may improve this.
      
      In HEAD and 9.2, also suppress warnings about undefined entities, which
      would otherwise occur as a result of not loading referenced DTDs.  Previous
      branches don't show such warnings anyway, due to different error handling
      arrangements.
      
      Credit to Noah Misch for first reporting the problem, and for much work
      towards a solution, though this simplistic approach was not his preference.
      Also thanks to Daniel Veillard for consultation.
      
      Security: CVE-2012-3489
      17351fce
    • Bruce Momjian's avatar
      Revert "commit_delay" change; just add comment that we don't have · 03bda453
      Bruce Momjian authored
      a microsecond specification.
      03bda453
    • Bruce Momjian's avatar
      Add pg_settings units display for "commit_delay" (ms). · e7472744
      Bruce Momjian authored
      Also remove unnecessary units designation in postgresql.conf.sample.
      e7472744
    • Bruce Momjian's avatar
      In documentation, change "recommendable" to "recommended", per · 1d96cf94
      Bruce Momjian authored
      consultation with word definitions.
      
      Backpatch to 9.2.
      1d96cf94
    • Tom Lane's avatar
      Update time zone data files to tzdata release 2012e. · 51fd748e
      Tom Lane authored
      DST law changes in Morocco; Tokelau has relocated to the other side of
      the International Date Line; and apparently Olson had Tokelau's GMT
      offset wrong by an hour even before that.
      
      There are also a large number of non-significant changes in this update.
      Upstream took the opportunity to remove trailing whitespace, and the
      SCCS-style version numbers on the individual files are gone too.
      51fd748e
  4. 13 Aug, 2012 1 commit
    • Heikki Linnakangas's avatar
      Add runtime checks for number of query parameters passed to libpq functions. · f86e6ba4
      Heikki Linnakangas authored
      The maximum number of parameters supported by the FE/BE protocol is 65535,
      as it's transmitted as a 16-bit unsigned integer. However, the nParams
      arguments to libpq functions are all of type 'int'. We can't change the
      signature of libpq functions, but a simple bounds check is in order to make
      it more clear what's going wrong if you try to pass more than 65535
      parameters.
      
      Per complaint from Jim Vanns.
      f86e6ba4
  5. 12 Aug, 2012 1 commit
    • Tom Lane's avatar
      More fixes for planner's handling of LATERAL. · c1774d2c
      Tom Lane authored
      Re-allow subquery pullup for LATERAL subqueries, except when the subquery
      is below an outer join and contains lateral references to relations outside
      that outer join.  If we pull up in such a case, we risk introducing lateral
      cross-references into outer joins' ON quals, which is something the code is
      entirely unprepared to cope with right now; and I'm not sure it'll ever be
      worth coping with.
      
      Support lateral refs in VALUES (this seems to be the only additional path
      type that needs such support as a consequence of re-allowing subquery
      pullup).
      
      Put in a slightly hacky fix for joinpath.c's refusal to consider
      parameterized join paths even when there cannot be any unparameterized
      ones.  This was causing "could not devise a query plan for the given query"
      failures in queries involving more than two FROM items.
      
      Put in an even more hacky fix for distribute_qual_to_rels() being unhappy
      with join quals that contain references to rels outside their syntactic
      scope; which is to say, disable that test altogether.  Need to think about
      how to preserve some sort of debugging cross-check here, while not
      expending more cycles than befits a debugging cross-check.
      c1774d2c