1. 08 Sep, 2009 3 commits
    • Tom Lane's avatar
      Add a boolean GUC parameter "bonjour" to control whether a Bonjour-enabled · eeb6cb14
      Tom Lane authored
      build actually attempts to advertise itself via Bonjour.  Formerly it always
      did so, which meant that packagers had to decide for their users whether
      this behavior was wanted or not.  The default is "off" to be on the safe
      side, though this represents a change in the default behavior of a
      Bonjour-enabled build.  Per discussion.
      eeb6cb14
    • Tom Lane's avatar
      Replace use of the long-deprecated Bonjour API DNSServiceRegistrationCreate · 59b9f3d3
      Tom Lane authored
      with the not-so-deprecated DNSServiceRegister.  This patch shouldn't change
      any user-visible behavior, it just gets rid of a deprecation warning in
      --with-bonjour builds.  The new code will fail on OS X releases before 10.3,
      but it seems unlikely that anyone will want to run Postgres 8.5 on 10.2.
      59b9f3d3
    • Tom Lane's avatar
      Remove outside-the-scanner references to "yyleng". · 4d3456e8
      Tom Lane authored
      It seems the flex developers have decided to change yyleng from int to size_t.
      This has already happened in the latest release of OS X, and will start
      happening elsewhere once the next release of flex appears.  Rather than trying
      to divine how it's declared in any particular build, let's just remove the one
      existing not-very-necessary external usage.
      
      Back-patch to all supported branches; not so much because users in the field
      are likely to care about building old branches with cutting-edge flex, as
      to keep OSX-based buildfarm members from having problems with old branches.
      4d3456e8
  2. 07 Sep, 2009 1 commit
  3. 06 Sep, 2009 1 commit
  4. 05 Sep, 2009 2 commits
  5. 04 Sep, 2009 4 commits
    • Tom Lane's avatar
    • Tom Lane's avatar
      Remove pgstat's discrimination against MsgVacuum and MsgAnalyze messages. · 47ef623c
      Tom Lane authored
      Formerly, these message types would be discarded unless there was already
      a stats hash table entry for the target table.  However, the intent of
      saving hash table space for unused tables was subverted by the fact that
      the physical I/O done by the vacuum or analyze would result in an immediately
      following tabstat message, which would create the hash table entry anyway.
      All that we had left was surprising loss of statistical data, as in a recent
      complaint from Jaime Casanova.
      
      It seems unlikely that a real database would have many tables that go totally
      untouched over the long haul, so the consensus is that this "optimization"
      serves little purpose anyhow.  Remove it, and just create the hash table
      entry on demand in all cases.
      47ef623c
    • Heikki Linnakangas's avatar
      Tigthen binary receive functions so that they reject values that the text · 7be39bb0
      Heikki Linnakangas authored
      input functions don't accept either. While the backend can handle such
      values fine, they can cause trouble in clients and in pg_dump/restore.
      
      This is followup to the original issue on time datatype reported by Andrew
      McNamara a while ago. Like that one, none of these seem worth
      back-patching.
      7be39bb0
    • Heikki Linnakangas's avatar
      Fix encoding handling in xml binary input function. If the XML header didn't · 237859e4
      Heikki Linnakangas authored
      specify an encoding explicitly, we used to treat it as being in database
      encoding when we parsed it, but then perform a UTF-8 -> database encoding
      conversion on it, which was completely bogus. It's now consistently treated as
      UTF-8.
      237859e4
  6. 03 Sep, 2009 9 commits
    • Tom Lane's avatar
      1608489b
    • Tom Lane's avatar
      Make LOAD of an already-loaded library into a no-op, instead of attempting · 602a9ef5
      Tom Lane authored
      to unload and re-load the library.
      
      The difficulty with unloading a library is that we haven't defined safe
      protocols for doing so.  In particular, there's no safe mechanism for
      getting out of a "hook" function pointer unless libraries are unloaded
      in reverse order of loading.  And there's no mechanism at all for undefining
      a custom GUC variable, so GUC would be left with a pointer to an old value
      that might or might not still be valid, and very possibly wouldn't be in
      the same place anymore.
      
      While the unload and reload behavior had some usefulness in easing
      development of new loadable libraries, it's of no use whatever to normal
      users, so just disabling it isn't giving up that much.  Someday we might
      care to expend the effort to develop safe unload protocols; but even if
      we did, there'd be little certainty that every third-party loadable module
      was following them, so some security restrictions would still be needed.
      
      Back-patch to 8.2; before that, LOAD was superuser-only anyway.
      
      Security: unprivileged users could crash backend.  CVE not assigned yet
      602a9ef5
    • Tom Lane's avatar
      Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer · 187e5d89
      Tom Lane authored
      functions.
      
      This extends the previous patch that forbade SETting these variables inside
      security-definer functions.  RESET is equally a security hole, since it
      would allow regaining privileges of the caller; furthermore it can trigger
      Assert failures and perhaps other internal errors, since the code is not
      expecting these variables to change in such contexts.  The previous patch
      did not cover this case because assign hooks don't really have enough
      information, so move the responsibility for preventing this into guc.c.
      
      Problem discovered by Heikki Linnakangas.
      
      Security: no CVE assigned yet, extends CVE-2007-6600
      187e5d89
    • Tom Lane's avatar
      Install a workaround for a longstanding gcc bug that allows SIGFPE traps · d0a368c6
      Tom Lane authored
      to occur for division by zero, even though the code is carefully avoiding
      that.  All available evidence is that the only functions affected are
      int24div, int48div, and int28div, so patch just those three functions to
      include a "return" after the ereport() call.
      
      Backpatch to 8.4 so that the fix can be tested in production builds.
      For older branches our recommendation will continue to be to use -O1
      on affected platforms (which are mostly non-mainstream anyway).
      d0a368c6
    • Michael Meskes's avatar
      Fixed incorrect memory management. · fc193739
      Michael Meskes authored
      fc193739
    • Michael Meskes's avatar
      Removed some variables no longer needed. · 2720c570
      Michael Meskes authored
      2720c570
    • Michael Meskes's avatar
      fe35c8e1
    • Tom Lane's avatar
      Update time zone data files to tzdata release 2009l: DST law changes in · 49d960c4
      Tom Lane authored
      Egypt, Mauritius, Bangladesh.
      49d960c4
    • Tom Lane's avatar
      Remove initdb's rather gratuitous check to see if the backend created a · b02c32e1
      Tom Lane authored
      flat password file, because it never will anymore.  We had managed to
      miss this during the recent flat-file-ectomy because it only happens if
      --pwfile or --pwprompt is specified to initdb.  Apparently, few hackers
      use those.  Reported by Erik Rijkers.
      b02c32e1
  7. 02 Sep, 2009 3 commits
    • Magnus Hagander's avatar
    • Tom Lane's avatar
      Fix subquery pullup to wrap a PlaceHolderVar around the entire RowExpr · 57c9dff9
      Tom Lane authored
      that's generated for a whole-row Var referencing the subquery, when the
      subquery is in the nullable side of an outer join.  The previous coding
      instead put PlaceHolderVars around the elements of the RowExpr.  The effect
      was that when the outer join made the subquery outputs go to null, the
      whole-row Var produced ROW(NULL,NULL,...) rather than just NULL.  There
      are arguments afoot about whether those things ought to be semantically
      indistinguishable, but for the moment they are not entirely so, and the
      planner needs to take care that its machinations preserve the difference.
      Per bug #5025.
      
      Making this feasible required refactoring ResolveNew() to allow more caller
      control over what is substituted for a Var.  I chose to make ResolveNew()
      a wrapper around a new general-purpose function replace_rte_variables().
      I also fixed the ancient bogosity that ResolveNew might fail to set
      a query's hasSubLinks field after inserting a SubLink in it.  Although
      all current callers make sure that happens anyway, we've had bugs of that
      sort before, and it seemed like a good time to install a proper solution.
      
      Back-patch to 8.4.  The problem can be demonstrated clear back to 8.0,
      but the fix would be too invasive in earlier branches; not to mention
      that people may be depending on the subtly-incorrect behavior.  The
      8.4 series is new enough that fixing this probably won't cause complaints,
      but it might in older branches.  Also, 8.4 shows the incorrect behavior
      in more cases than older branches do, because it is able to flatten
      subqueries in more cases.
      57c9dff9
    • Tom Lane's avatar
      Fix pg_ctl's readfile() to not go into infinite loop on an empty file · 040f28b4
      Tom Lane authored
      (could happen if either postgresql.conf or postmaster.opts is empty).
      It's been broken since the C version was written for 8.0, so patch
      all the way back.
      
      initdb's copy of the function is broken in the same way, but it's
      less important there since the input files should never be empty.
      Patch that in HEAD only, and also fix some cosmetic differences that
      crept into that copy of the function.
      
      Per report from Corry Haines and Jeff Davis.
      040f28b4
  8. 01 Sep, 2009 5 commits
  9. 31 Aug, 2009 2 commits
    • Tom Lane's avatar
      Change the autovacuum launcher to read pg_database directly, rather than · 00e6a16d
      Tom Lane authored
      via the "flat files" facility.  This requires making it enough like a backend
      to be able to run transactions; it's no longer an "auxiliary process" but
      more like the autovacuum worker processes.  Also, its signal handling has
      to be brought into line with backends/workers.  In particular, since it
      now has to handle procsignal.c processing, the special autovac-launcher-only
      signal conditions are moved to SIGUSR2.
      
      Alvaro, with some cleanup from Tom
      00e6a16d
    • Tom Lane's avatar
      Track the current XID wrap limit (or more accurately, the oldest unfrozen · 25ec228e
      Tom Lane authored
      XID) in checkpoint records.  This eliminates the need to recompute the value
      from scratch during database startup, which is one of the two remaining
      reasons for the flatfile code to exist.  It should also simplify life for
      hot-standby operation.
      
      To avoid bloating the checkpoint records unreasonably, I switched from
      tracking the oldest database by name to tracking it by OID.  This turns
      out to save cycles in general (everywhere but the warning-generating
      paths, which we hardly care about) and also helps us deal with the case
      that the oldest database got dropped instead of being vacuumed.  The prior
      coding might go for a long time without updating the wrap limit in that case,
      which is bad because it might result in a lot of useless autovacuum activity.
      25ec228e
  10. 30 Aug, 2009 2 commits
  11. 29 Aug, 2009 2 commits
    • Tom Lane's avatar
      Remove the use of the pg_auth flat file for client authentication. · e710b65c
      Tom Lane authored
      (That flat file is now completely useless, but removal will come later.)
      
      To do this, postpone client authentication into the startup transaction
      that's run by InitPostgres.  We still collect the startup packet and do
      SSL initialization (if needed) at the same time we did before.  The
      AuthenticationTimeout is applied separately to startup packet collection
      and the actual authentication cycle.  (This is a bit annoying, since it
      means a couple extra syscalls; but the signal handling requirements inside
      and outside a transaction are sufficiently different that it seems best
      to treat the timeouts as completely independent.)
      
      A small security disadvantage is that if the given database name is invalid,
      this will be reported to the client before any authentication happens.
      We could work around that by connecting to database "postgres" instead,
      but consensus seems to be that it's not worth introducing such surprising
      behavior.
      
      Processing of all command-line switches and GUC options received from the
      client is now postponed until after authentication.  This means that
      PostAuthDelay is much less useful than it used to be --- if you need to
      investigate problems during InitPostgres you'll have to set PreAuthDelay
      instead.  However, allowing an unauthenticated user to set any GUC options
      whatever seems a bit too risky, so we'll live with that.
      e710b65c
    • Bruce Momjian's avatar
  12. 28 Aug, 2009 3 commits
  13. 27 Aug, 2009 3 commits
    • Tom Lane's avatar
      Modify the definition of window-function PARTITION BY and ORDER BY clauses · bb16dc49
      Tom Lane authored
      so that their elements are always taken as simple expressions over the
      query's input columns.  It originally seemed like a good idea to make them
      act exactly like GROUP BY and ORDER BY, right down to the SQL92-era behavior
      of accepting output column names or numbers.  However, that was not such a
      great idea, for two reasons:
      
      1. It permits circular references, as exhibited in bug #5018: the output
      column could be the one containing the window function itself.  (We actually
      had a regression test case illustrating this, but nobody thought twice about
      how confusing that would be.)
      
      2. It doesn't seem like a good idea for, eg, "lead(foo) OVER (ORDER BY foo)"
      to potentially use two completely different meanings for "foo".
      
      Accordingly, narrow down the behavior of window clauses to use only the
      SQL99-compliant interpretation that the expressions are simple expressions.
      bb16dc49
    • Alvaro Herrera's avatar
      Fix broken markup · f065b17d
      Alvaro Herrera authored
      Jan Urbański
      f065b17d
    • Tom Lane's avatar
      Make the .DEF file generation rules safe against tabs in exports.txt. · 3d167209
      Tom Lane authored
      Per bug #5016, although I think the MSVC build scripts may need a similar fix.
      3d167209