1. 19 Aug, 2012 2 commits
  2. 18 Aug, 2012 2 commits
    • Tom Lane's avatar
      Make use of LATERAL in information_schema.sequences view. · c246eb5a
      Tom Lane authored
      It said "XXX: The following could be improved if we had LATERAL" ...
      so let's do that.
      
      No catversion bump since either version of the view works fine.
      c246eb5a
    • Tom Lane's avatar
      Another round of planner fixes for LATERAL. · 084a29c9
      Tom Lane authored
      Formerly, subquery pullup had no need to examine other entries in the range
      table, since they could not contain any references to the subquery being
      pulled up.  That's no longer true with LATERAL, so now we need to be able
      to visit rangetable subexpressions to replace Vars referencing the
      pulled-up subquery.  Also, this means that extract_lateral_references must
      be unsurprised at encountering lateral PlaceHolderVars, since such might be
      created when pulling up a subquery that's underneath an outer join with
      respect to the lateral reference.
      084a29c9
  3. 17 Aug, 2012 3 commits
  4. 16 Aug, 2012 18 commits
  5. 15 Aug, 2012 13 commits
  6. 14 Aug, 2012 2 commits
    • Tom Lane's avatar
      e45ae401
    • Tom Lane's avatar
      Prevent access to external files/URLs via contrib/xml2's xslt_process(). · adc97d03
      Tom Lane authored
      libxslt offers the ability to read and write both files and URLs through
      stylesheet commands, thus allowing unprivileged database users to both read
      and write data with the privileges of the database server.  Disable that
      through proper use of libxslt's security options.
      
      Also, remove xslt_process()'s ability to fetch documents and stylesheets
      from external files/URLs.  While this was a documented "feature", it was
      long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
      capability, and rather than expend effort on trying to fix it, we're just
      going to summarily remove it.
      
      While the ability to write as well as read makes this security hole
      considerably worse than CVE-2012-3489, the problem is mitigated by the fact
      that xslt_process() is not available unless contrib/xml2 is installed,
      and the longstanding warnings about security risks from that should have
      discouraged prudent DBAs from installing it in security-exposed databases.
      
      Reported and fixed by Peter Eisentraut.
      
      Security: CVE-2012-3488
      adc97d03