1. 05 Jun, 2012 1 commit
    • Tom Lane's avatar
      Fix some more bugs in contrib/xml2's xslt_process(). · d9b31e48
      Tom Lane authored
      It failed to check for error return from xsltApplyStylesheet(), as reported
      by Peter Gagarinov.  (So far as I can tell, libxslt provides no convenient
      way to get a useful error message in failure cases.  There might be some
      inconvenient way, but considering that this code is deprecated it's hard to
      get enthusiastic about putting lots of work into it.  So I just made it say
      "failed to apply stylesheet", in line with the existing error checks.)
      
      While looking at the code I also noticed that the string returned by
      xsltSaveResultToString was never freed, resulting in a session-lifespan
      memory leak.
      
      Back-patch to all supported versions.
      d9b31e48
  2. 03 Jun, 2012 1 commit
    • Tom Lane's avatar
      Fix memory leaks in failure paths in buildACLCommands and parseAclItem. · d73b7f97
      Tom Lane authored
      This is currently only cosmetic, since all the call sites just curl up
      and die in event of a failure return.  It might be important for some
      future use-case, though, and in any case it quiets warnings from the
      clang static analyzer (as reported by Anna Zaks).
      
      Josh Kupershmidt
      d73b7f97
  3. 01 Jun, 2012 8 commits
  4. 31 May, 2012 7 commits
    • Tom Lane's avatar
      Stamp 9.2beta2. · 4bec93ac
      Tom Lane authored
      4bec93ac
    • Tom Lane's avatar
      51ecf52c
    • Tom Lane's avatar
      a04dc87d
    • Simon Riggs's avatar
      Only throw recovery conflicts when InHotStandby. Bug fix to recent · a2b516da
      Simon Riggs authored
      patch to allow Index Only Scans on Hot Standby.
      
      Bug report from Jaime Casanova
      a2b516da
    • Tom Lane's avatar
      Update time zone data files to tzdata release 2012c. · c8105e62
      Tom Lane authored
      DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands,
      Gaza, Haiti, Hebron, Morocco, Syria, Tokelau Islands.
      Historical corrections for Canada.
      c8105e62
    • Tom Lane's avatar
      Force PL and range-type support functions to be owned by a superuser. · ad0009e7
      Tom Lane authored
      We allow non-superusers to create procedural languages (with restrictions)
      and range datatypes.  Previously, the automatically-created support
      functions for these objects ended up owned by the creating user.  This
      represents a rather considerable security hazard, because the owning user
      might be able to alter a support function's definition in such a way as to
      crash the server, inject trojan-horse SQL code, or even execute arbitrary
      C code directly.  It appears that right now the only actually exploitable
      problem is the infinite-recursion bug fixed in the previous patch for
      CVE-2012-2655.  However, it's not hard to imagine that future additions of
      more ALTER FUNCTION capability might unintentionally open up new hazards.
      To forestall future problems, cause these support functions to be owned by
      the bootstrap superuser, not the user creating the parent object.
      ad0009e7
    • Tom Lane's avatar
      Ignore SECURITY DEFINER and SET attributes for a PL's call handler. · 33c6eaf7
      Tom Lane authored
      It's not very sensible to set such attributes on a handler function;
      but if one were to do so, fmgr.c went into infinite recursion because
      it would call fmgr_security_definer instead of the handler function proper.
      There is no way for fmgr_security_definer to know that it ought to call the
      handler and not the original function referenced by the FmgrInfo's fn_oid,
      so it tries to do the latter, causing the whole process to start over
      again.
      
      Ordinarily such misconfiguration of a procedural language's handler could
      be written off as superuser error.  However, because we allow non-superuser
      database owners to create procedural languages and the handler for such a
      language becomes owned by the database owner, it is possible for a database
      owner to crash the backend, which ideally shouldn't be possible without
      superuser privileges.  In 9.2 and up we will adjust things so that the
      handler functions are always owned by superusers, but in existing branches
      this is a minor security fix.
      
      Problem noted by Noah Misch (after several of us had failed to detect
      it :-().  This is CVE-2012-2655.
      33c6eaf7
  5. 30 May, 2012 6 commits
    • Tom Lane's avatar
      Expand the allowed range of timezone offsets to +/-15:59:59 from Greenwich. · cd0ff9c0
      Tom Lane authored
      We used to only allow offsets less than +/-13 hours, then it was +/14,
      then it was +/-15.  That's still not good enough though, as per today's bug
      report from Patric Bechtel.  This time I actually looked through the Olson
      timezone database to find the largest offsets used anywhere.  The winners
      are Asia/Manila, at -15:56:00 until 1844, and America/Metlakatla, at
      +15:13:42 until 1867.  So we'd better allow offsets less than +/-16 hours.
      
      Given the history, we are way overdue to have some greppable #define
      symbols controlling this, so make some ... and also remove an obsolete
      comment that didn't get fixed the last time.
      
      Back-patch to all supported branches.
      cd0ff9c0
    • Robert Haas's avatar
      Fix two more bugs in fast-path relation locking. · 07ab1383
      Robert Haas authored
      First, the previous code failed to account for the fact that, during Hot
      Standby operation, the startup process takes AccessExclusiveLocks on
      relations without setting MyDatabaseId.  This resulted in fast path
      strong lock counts failing to be incremented with the startup process
      took locks, which in turn allowed conflicting lock requests to succeed
      when they should not have.  Report by Erik Rijkers, diagnosis by Heikki
      Linnakangas.
      
      Second, LockReleaseAll() failed to honor the allLocks and lockmethodid
      restrictions with respect to fast-path locks.  It's not clear to me
      whether this produces any user-visible breakage at the moment, but it's
      certainly wrong.  Rearrange order of operations in LockReleaseAll to fix.
      Noted by Tom Lane.
      07ab1383
    • Tom Lane's avatar
      Fix incorrect password transformation in contrib/pgcrypto's DES crypt(). · 932ded2e
      Tom Lane authored
      Overly tight coding caused the password transformation loop to stop
      examining input once it had processed a byte equal to 0x80.  Thus, if the
      given password string contained such a byte (which is possible though not
      highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
      subsequent characters would not contribute to the hash, making the password
      much weaker than it appears on the surface.
      
      This would only affect cases where applications used DES crypt() to encode
      passwords before storing them in the database.  If a weak password has been
      created in this fashion, the hash will stop matching after this update has
      been applied, so it will be easy to tell if any passwords were unexpectedly
      weak.  Changing to a different password would be a good idea in such a case.
      (Since DES has been considered inadequately secure for some time, changing
      to a different encryption algorithm can also be recommended.)
      
      This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
      Since the other projects have already published their fixes, there is no
      point in trying to keep this commit private.
      
      This bug has been assigned CVE-2012-2143, and credit for its discovery goes
      to Rubin Xu and Joseph Bonneau.
      932ded2e
    • Heikki Linnakangas's avatar
      Change the way parent pages are tracked during buffered GiST build. · d1996ed5
      Heikki Linnakangas authored
      We used to mimic the way a stack is constructed when descending the tree
      during normal GiST inserts, but that was quite complicated during a buffered
      build. It was also wrong: in GiST, the left-to-right relationships on
      different levels might not match each other, so that when you know the
      parent of a child page, you won't necessarily find the parent of the page to
      the right of the child page by following the rightlinks at the parent level.
      This sometimes led to "could not re-find parent" errors while building a
      GiST index.
      
      We now use a simple hash table to track the parent of every internal page.
      Whenever a page is split, and downlinks are moved from one page to another,
      we update the hash table accordingly. This is also better for performance
      than the old method, as we never need to move right to re-find the parent
      page, which could take a significant amount of time for buffers that were
      created much earlier in the index build.
      d1996ed5
    • Heikki Linnakangas's avatar
      Delete the temporary file used in buffered GiST build, after the build. · be02b168
      Heikki Linnakangas authored
      There were two bugs here: We forgot to call gistFreeBuildBuffers() function
      at the end of build, and we passed interXact == true to BufFileCreateTemp,
      so the file wasn't automatically cleaned up at end-of-transaction either.
      be02b168
    • Tom Lane's avatar
      Rewrite --section option to decouple it from --schema-only/--data-only. · 4317e024
      Tom Lane authored
      The initial implementation of pg_dump's --section option supposed that the
      existing --schema-only and --data-only options could be made equivalent to
      --section settings.  This is wrong, though, due to dubious but long since
      set-in-stone decisions about where to dump SEQUENCE SET items, as seen in
      bug report from Martin Pitt.  (And I'm not totally convinced there weren't
      other bugs, either.)  Undo that coupling and instead drive --section
      filtering off current-section state tracked as we scan through the TOC
      list to call _tocEntryRequired().
      
      To make sure those decisions don't shift around and hopefully save a few
      cycles, run _tocEntryRequired() only once per TOC entry and save the result
      in a new TOC field.  This required minor rejiggering of ACL handling but
      also allows a far cleaner implementation of inhibit_data_for_failed_table.
      
      Also, to ensure that pg_dump and pg_restore have the same behavior with
      respect to the --section switches, add _tocEntryRequired() filtering to
      WriteToc() and WriteDataChunks(), rather than trying to implement section
      filtering in an entirely orthogonal way in dumpDumpableObject().  This
      required adjusting the handling of the special ENCODING and STDSTRINGS
      items, but they were pretty weird before anyway.
      
      Minor other code review for the patch, too.
      4317e024
  6. 29 May, 2012 3 commits
    • Heikki Linnakangas's avatar
      Fix integer overflow bug in GiST buffering build calculations. · 4bc6fb57
      Heikki Linnakangas authored
      The result of (maintenance_work_mem * 1024) / BLCKSZ doesn't fit in a signed
      32-bit integer, if maintenance_work_mem >= 2GB. Use double instead. And
      while we're at it, write the calculations in an easier to understand form,
      with the intermediary steps written out and commented.
      4bc6fb57
    • Tom Lane's avatar
      Teach AbortOutOfAnyTransaction to clean up partially-started transactions. · 2755abf3
      Tom Lane authored
      AbortOutOfAnyTransaction failed to do anything if the state it saw on
      entry corresponded to failing partway through StartTransaction.  I fixed
      AbortCurrentTransaction to cope with that case way back in commit
      60b2444c, but evidently overlooked that
      AbortOutOfAnyTransaction should do likewise.
      
      Back-patch to all supported branches.  It's not clear that this omission
      has any more-than-cosmetic consequences, but it's also not clear that it
      doesn't, so back-patching seems the least risky choice.
      2755abf3
    • Tom Lane's avatar
      Eliminate some more O(N^2) behaviors in pg_dump/pg_restore. · c89bdf76
      Tom Lane authored
      This patch fixes three places (which AFAICT is all of them) where runtime
      was O(N^2) in the number of TOC entries, by using an index array to replace
      linear searches of the TOC list.  This performance issue is a bit less bad
      than those recently fixed, because it depends on the number of items dumped
      not the number in the source database, so the problem can be dodged by
      doing partial dumps.
      
      The previous coding already had an instance of one of the two index arrays
      needed, but it was only calculated in parallel-restore cases; now we need
      it all the time.  I also chose to move the arrays into the ArchiveHandle
      data structure, to make this code a bit more ready for the day that we
      try to sling multiple ArchiveHandles around in pg_dump or pg_restore.
      
      Since we still need some server-side work before pg_dump can really cope
      nicely with tens of thousands of tables, there's probably little point in
      back-patching.
      c89bdf76
  7. 28 May, 2012 1 commit
    • Peter Eisentraut's avatar
      libpq: URI parsing fixes · 2d612abd
      Peter Eisentraut authored
      Drop special handling of host component with slashes to mean
      Unix-domain socket.  Specify it as separate parameter or using
      percent-encoding now.
      
      Allow omitting username, password, and port even if the corresponding
      designators are present in URI.
      
      Handle percent-encoding in query parameter keywords.
      
      Alex Shulgin
      
      some documentation improvements by myself
      2d612abd
  8. 27 May, 2012 9 commits
  9. 26 May, 2012 1 commit
    • Tom Lane's avatar
      Prevent synchronized scanning when systable_beginscan chooses a heapscan. · 532fe28d
      Tom Lane authored
      The only interesting-for-performance case wherein we force heapscan here
      is when we're rebuilding the relcache init file, and the only such case
      that is likely to be examining a catalog big enough to be syncscanned is
      RelationBuildTupleDesc.  But the early-exit optimization in that code gets
      broken if we start the scan at a random place within the catalog, so that
      allowing syncscan is actually a big deoptimization if pg_attribute is large
      (at least for the normal case where the rows for core system catalogs have
      never been changed since initdb).  Hence, prevent syncscan here.  Per my
      testing pursuant to complaints from Jeff Frost and Greg Sabino Mullane,
      though neither of them seem to have actually hit this specific problem.
      
      Back-patch to 8.3, where syncscan was introduced.
      532fe28d
  10. 25 May, 2012 3 commits