1. 27 Jun, 2006 1 commit
  2. 23 May, 2006 1 commit
  3. 21 May, 2006 1 commit
    • Tom Lane's avatar
      Modify libpq's string-escaping routines to be aware of encoding considerations · 515112f9
      Tom Lane authored
      and standard_conforming_strings.  The encoding changes are needed for proper
      escaping in multibyte encodings, as per the SQL-injection vulnerabilities
      noted in CVE-2006-2313 and CVE-2006-2314.  Concurrent fixes are being applied
      to the server to ensure that it rejects queries that may have been corrupted
      by attempted SQL injection, but this merely guarantees that unpatched clients
      will fail rather than allow injection.  An actual fix requires changing the
      client-side code.  While at it we have also fixed these routines to understand
      about standard_conforming_strings, so that the upcoming changeover to SQL-spec
      string syntax can be somewhat transparent to client code.
      
      Since the existing API of PQescapeString and PQescapeBytea provides no way to
      inform them which settings are in use, these functions are now deprecated in
      favor of new functions PQescapeStringConn and PQescapeByteaConn.  The new
      functions take the PGconn to which the string will be sent as an additional
      parameter, and look inside the connection structure to determine what to do.
      So as to provide some functionality for clients using the old functions,
      libpq stores the latest encoding and standard_conforming_strings values
      received from the backend in static variables, and the old functions consult
      these variables.  This will work reliably in clients using only one Postgres
      connection at a time, or even multiple connections if they all use the same
      encoding and string syntax settings; which should cover many practical
      scenarios.
      
      Clients that use homebrew escaping methods, such as PHP's addslashes()
      function or even hardwired regexp substitution, will require extra effort
      to fix :-(.  It is strongly recommended that such code be replaced by use of
      PQescapeStringConn/PQescapeByteaConn if at all feasible.
      515112f9
  4. 17 May, 2006 1 commit
  5. 06 May, 2006 1 commit
  6. 23 Apr, 2006 1 commit
  7. 10 Mar, 2006 1 commit
  8. 03 Mar, 2006 1 commit
  9. 01 Mar, 2006 1 commit
  10. 28 Feb, 2006 2 commits
  11. 26 Dec, 2005 1 commit
  12. 23 Dec, 2005 1 commit
  13. 04 Nov, 2005 1 commit
  14. 27 Oct, 2005 1 commit
  15. 24 Oct, 2005 1 commit
    • Bruce Momjian's avatar
      I have applied the following patch to document PQinitSSL() and · 81915970
      Bruce Momjian authored
      PQregisterThreadLock().
      
      I also remove the crypt() mention in the libpq threading section and
      added a single sentence in the client-auth manual page under crypt().
      Crypt authentication is so old now that a separate paragraph about it
      seemed unwise.
      
      I also added a comment about our use of locking around pqGetpwuid().
      81915970
  16. 20 Oct, 2005 2 commits
  17. 17 Oct, 2005 1 commit
  18. 13 Oct, 2005 2 commits
  19. 25 Sep, 2005 2 commits
  20. 14 Aug, 2005 1 commit
  21. 27 Jun, 2005 1 commit
  22. 26 Jun, 2005 1 commit
    • Tom Lane's avatar
      Code review for escape-strings patch. Sync psql and plpgsql lexers · d395aecf
      Tom Lane authored
      with main, avoid using a SQL-defined SQLSTATE for what is most definitely
      not a SQL-compatible error condition, fix documentation omissions,
      adhere to message style guidelines, don't use two GUC_REPORT variables
      when one is sufficient.  Nothing done about pg_dump issues.
      d395aecf
  23. 21 Jun, 2005 1 commit
    • Tom Lane's avatar
      Cause initdb to create a third standard database "postgres", which · 6f7fc0ba
      Tom Lane authored
      unlike template0 and template1 does not have any special status in
      terms of backend functionality.  However, all external utilities such
      as createuser and createdb now connect to "postgres" instead of
      template1, and the documentation is changed to encourage people to use
      "postgres" instead of template1 as a play area.  This should fix some
      longstanding gotchas involving unexpected propagation of database
      objects by createdb (when you used template1 without understanding
      the implications), as well as ameliorating the problem that CREATE
      DATABASE is unhappy if anyone else is connected to template1.
      Patch by Dave Page, minor editing by Tom Lane.  All per recent
      pghackers discussions.
      6f7fc0ba
  24. 12 Jun, 2005 1 commit
  25. 10 Jun, 2005 1 commit
  26. 09 Jun, 2005 1 commit
  27. 04 Jun, 2005 1 commit
    • Bruce Momjian's avatar
      · 72c53ac3
      Bruce Momjian authored
      Allow kerberos name and username case sensitivity to be specified from
      postgresql.conf.
      
      ---------------------------------------------------------------------------
      
      
      Here's an updated version of the patch, with the following changes:
      
      1) No longer uses "service name" as "application version". It's instead
      hardcoded as "postgres". It could be argued that this part should be
      backpatched to 8.0, but it doesn't make a big difference until you can
      start changing it with GUC / connection parameters. This change only
      affects kerberos 5, not 4.
      
      2) Now downcases kerberos usernames when the client is running on win32.
      
      3) Adds guc option for "krb_caseins_users" to make the server ignore
      case mismatch which is required by some KDCs such as Active Directory.
      Off by default, per discussion with Tom. This change only affects
      kerberos 5, not 4.
      
      4) Updated so it doesn't conflict with the rendevouz/bonjour patch
      already in ;-)
      
      Magnus Hagander
      72c53ac3
  28. 30 May, 2005 1 commit
  29. 26 Feb, 2005 2 commits
  30. 14 Jan, 2005 1 commit
  31. 08 Jan, 2005 1 commit
  32. 06 Jan, 2005 2 commits
  33. 28 Dec, 2004 2 commits