Commit Graph

29140 Commits

Author SHA1 Message Date
Tom Lane
a5495cd841 Add a hook to let loadable modules get control at ProcessUtility execution,
and use it to extend contrib/pg_stat_statements to track utility commands.

Itagaki Takahiro, reviewed by Euler Taveira de Oliveira.
2009-12-15 20:04:49 +00:00
Tom Lane
34d26872ed Support ORDER BY within aggregate function calls, at long last providing a
non-kluge method for controlling the order in which values are fed to an
aggregate function.  At the same time eliminate the old implementation
restriction that DISTINCT was only supported for single-argument aggregates.

Possibly release-notable behavioral change: formerly, agg(DISTINCT x)
dropped null values of x unconditionally.  Now, it does so only if the
agg transition function is strict; otherwise nulls are treated as DISTINCT
normally would, ie, you get one copy.

Andrew Gierth, reviewed by Hitoshi Harada
2009-12-15 17:57:48 +00:00
Tom Lane
6a6efb9640 Fix broken markup. 2009-12-15 15:59:57 +00:00
Itagaki Takahiro
7d67e06297 Add \shell and \setshell meta commands to pgbench.
\shell command runs an external shell command.
\setshell also does the same and sets the result to a variable.

original patch by Michael Paquier with some editorialization by Itagaki,
and reviewed by Greg Smith.
2009-12-15 07:17:57 +00:00
Robert Haas
cddca5ec13 Add an EXPLAIN (BUFFERS) option to show buffer-usage statistics.
This patch also removes buffer-usage statistics from the track_counts
output, since this (or the global server statistics) is deemed to be a better
interface to this information.

Itagaki Takahiro, reviewed by Euler Taveira de Oliveira.
2009-12-15 04:57:48 +00:00
Itagaki Takahiro
6f1bf75d50 Fix pg_ctl initdb without options.
Passing NULL string to snprintf is avoided.
2009-12-15 00:17:50 +00:00
Tom Lane
a620d5005d Fix a bug introduced when set-returning SQL functions were made inline-able:
we have to cope with the possibility that the declared result rowtype contains
dropped columns.  This fails in 8.4, as per bug #5240.

While at it, be more paranoid about inserting binary coercions when inlining.
The pre-8.4 code did not really need to worry about that because it could not
inline at all in any case where an added coercion could change the behavior
of the function's statement.  However, when inlining a SRF we allow sorting,
grouping, and set-ops such as UNION.  In these cases, modifying one of the
targetlist entries that the sort/group/setop depends on could conceivably
change the behavior of the function's statement --- so don't inline when
such a case applies.
2009-12-14 02:15:54 +00:00
Itagaki Takahiro
84f910a707 Additional fixes for large object access control.
Use pg_largeobject_metadata.oid instead of pg_largeobject.loid
to enumerate existing large objects in pg_dump, pg_restore, and
contrib modules.
2009-12-14 00:39:11 +00:00
Magnus Hagander
0182d6f646 Allow LDAP authentication to operate in search+bind mode, meaning it
does a search for the user in the directory first, and then binds with
the DN found for this user.

This allows for LDAP logins in scenarios where the DN of the user cannot
be determined simply by prefix and suffix, such as the case where different
users are located in different containers.

The old way of authentication can be significantly faster, so it's kept
as an option.

Robert Fleming and Magnus Hagander
2009-12-12 21:35:21 +00:00
Tom Lane
a4e035b2f1 Fix integer-to-bit-string conversions to handle the first fractional byte
correctly when the output bit width is wider than the given integer by
something other than a multiple of 8 bits.

This has been wrong since I first wrote that code for 8.0 :-(.  Kudos to
Roman Kononov for being the first to notice, though I didn't use his
patch.  Per bug #5237.
2009-12-12 19:24:35 +00:00
Robert Haas
02490d4692 Export ExplainBeginOutput() and ExplainEndOutput() for auto_explain.
Without these functions, anyone outside of explain.c can't actually use
ExplainPrintPlan, because the ExplainState won't be initialized properly.
The user-visible result of this was a crash when using auto_explain with
the JSON output format.

Report by Euler Taveira de Oliveira.  Analysis by Tom Lane.  Patch by me.
2009-12-12 00:35:34 +00:00
Tom Lane
6b45e3b7aa Arrange to generate different random sequences in the different child
processes of a pgbench run, when we are using -j > 1 and are emulating
threads via fork().  Otherwise the children all inherit the same random
sequence state and produce the same random-number sequence.

In the threaded case the different threads will share one RNG state, so
they will produce different subsets of one sequence, which is maybe more
correlated than a purist would like but will not be "the same".  So we
leave that case alone.

First noticed by Takahiro Itagaki, and is also part of the explanation
for the pgbench misbehavior recently reported by Jaime Casanova.
2009-12-11 21:50:06 +00:00
Tom Lane
d8e511fabb Ensure that the result tuple of an EvalPlanQual cycle gets materialized
before we zap the input tuple.  Otherwise, pass-by-reference columns of
the result slot are likely to contain just references to the input
tuple, leading to big trouble if the pfree'd space is reused.  Per
trouble report from Jaime Casanova.  This is a new bug in the recent
rewrite of EvalPlanQual, so nothing to back-patch.
2009-12-11 18:14:43 +00:00
Itagaki Takahiro
f1325ce213 Add large object access control.
A new system catalog pg_largeobject_metadata manages
ownership and access privileges of large objects.

KaiGai Kohei, reviewed by Jaime Casanova.
2009-12-11 03:34:57 +00:00
Bruce Momjian
64579962bb Properly define ENABLE_THREAD_SAFETY in conflgure, per suggestion from Peter. 2009-12-11 02:21:21 +00:00
Andrew Dunstan
324385d67f Add YAML to list of EXPLAIN formats. Greg Sabino Mullane, reviewed by Takahiro Itagaki. 2009-12-11 01:33:35 +00:00
Peter Eisentraut
db7386187f PL/Python array support
Support arrays as parameters and return values of PL/Python functions.
2009-12-10 20:43:40 +00:00
Peter Eisentraut
a37b001b80 Add init[db] option to pg_ctl
pg_ctl gets a new mode that runs initdb.  Adjust the documentation a bit to
not assume that initdb is the only way to run database cluster initialization.
But don't replace initdb as the canonical way.

Author: Zdenek Kotala <Zdenek.Kotala@Sun.COM>
2009-12-10 06:32:28 +00:00
Robert Haas
da07641481 Fix levenshtein with costs. The previous code multiplied by the cost in only
3 of the 7 relevant locations.

Marcin Mank, slightly adjusted by me.
2009-12-10 01:54:17 +00:00
Tom Lane
03d7b0647f Update release notes for releases 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23,
7.4.27.
2009-12-10 00:31:14 +00:00
Tom Lane
62aba76568 Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function.  It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user.  However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.

The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue.  GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation.  Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement.  (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)

Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.

Security: CVE-2009-4136
2009-12-09 21:57:51 +00:00
Magnus Hagander
7aeaa97de2 Add notes about updating disk and shared memory size information in the
documentation when doing new major release.
2009-12-09 17:03:30 +00:00
Magnus Hagander
2367d6893f Update size references in installation instructions to be a bit
more up-to-date with current versions.
2009-12-09 16:16:34 +00:00
Magnus Hagander
abf23ee86d Reject certificates with embedded NULLs in the commonName field. This stops
attacks where an attacker would put <attack>\0<propername> in the field and
trick the validation code that the certificate was for <attack>.

This is a very low risk attack since it reuqires the attacker to trick the
CA into issuing a certificate with an incorrect field, and the common
PostgreSQL deployments are with private CAs, and not external ones. Also,
default mode in 8.4 does not do any name validation, and is thus also not
vulnerable - but the higher security modes are.

Backpatch all the way. Even though versions 8.3.x and before didn't have
certificate name validation support, they still exposed this field for
the user to perform the validation in the application code, and there
is no way to detect this problem through that API.

Security: CVE-2009-4034
2009-12-09 06:37:06 +00:00
Tom Lane
65ed203910 Update time zone data files to tzdata release 2009s: DST law changes in
Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine,
Samoa, Syria.  Also historical corrections for Hong Kong.
2009-12-09 00:35:32 +00:00
Magnus Hagander
28519de02d Fix a couple of broken links to third-party sites. 2009-12-08 20:08:30 +00:00
Magnus Hagander
ac1b614cc0 Replace broken link to custom local gettext package with one to the main
GNU site for gettext.
2009-12-08 19:22:43 +00:00
Magnus Hagander
8df283d25a Update CVS documentation to be more current and add documentation about
git mirror.

Remove information about cvsup and documentation that's more about cvs
than our use of cvs.

Backpatch to 8.4 so we get the git information up on the website as
soon as possible.
2009-12-07 19:19:56 +00:00
Tom Lane
0cb65564e5 Add exclusion constraints, which generalize the concept of uniqueness to
support any indexable commutative operator, not just equality.  Two rows
violate the exclusion constraint if "row1.col OP row2.col" is TRUE for
each of the columns in the constraint.

Jeff Davis, reviewed by Robert Haas
2009-12-07 05:22:23 +00:00
Tom Lane
8de7472b45 Don't use a duplicate OID for aclexplode(). 2009-12-06 02:55:54 +00:00
Peter Eisentraut
36f887c41c Speed up information schema privilege views
Instead of expensive cross joins to resolve the ACL, add table-returning
function aclexplode() that expands the ACL into a useful form, and join
against that.

Also, implement the role_*_grants views as a thin layer over the respective
*_privileges views instead of essentially repeating the same code twice.

fixes bug #4596

by Joachim Wieland, with cleanup by me
2009-12-05 21:43:36 +00:00
Peter Eisentraut
636bac6e46 Information schema documentation
Add a sentence of documentation about the differences between the
*_privileges and the role_*_grants views.
2009-12-05 21:31:05 +00:00
Heikki Linnakangas
ab3148b712 Fix bug in temporary file management with subtransactions. A cursor opened
in a subtransaction stays open even if the subtransaction is aborted, so
any temporary files related to it must stay alive as well. With the patch,
we use ResourceOwners to track open temporary files and don't automatically
close them at subtransaction end (though in the normal case temporary files
are registered with the subtransaction resource owner and will therefore be
closed).

At end of top transaction, we still check that there's no temporary files
marked as close-at-end-of-transaction open, but that's now just a debugging
cross-check as the resource owner cleanup should've closed them already.
2009-12-03 11:03:29 +00:00
Tom Lane
dc588058a0 Clarify what's supposed to happen when a cursor FETCH is rolled back
by aborting a subtransaction.  Per discussion with Heikki.
2009-12-02 21:11:12 +00:00
Bruce Momjian
8c1c2e38f6 thread-safety
Apply full patch to enable thread-safety by default, e.g. doc changes.
2009-12-02 14:07:26 +00:00
Teodor Sigaev
aebc4e67ff Preventing intersection of ranges during page split. Changes are only
optimization, so don't backpatch.
2009-12-02 13:13:24 +00:00
Tom Lane
59ed94ad0c Mark application_name as GUC_REPORT so that the value will be reported back
to the client by the server.  This might seem pretty pointless but apparently
it will help pgbouncer, and perhaps other connection poolers.  Anyway it's
practically free to do so for the normal use-case where appname is only set
in the startup packet --- we're just adding a few more bytes to the initial
ParameterStatus response packet.  Per comments from Marko Kreen.
2009-12-02 04:54:10 +00:00
Tom Lane
3dfcf8cc15 Instead of sending application_name as a SET command after the connection
is made, include it in the startup-packet options.  This makes it work more
like every other libpq connection option, in particular it now has the same
response to RESET ALL as the rest.  This also saves one network round trip
for new applications using application_name.  The cost is that if the server
is pre-8.5, it'll reject the startup packet altogether, forcing us to retry
the entire connection cycle.  But on balance we shouldn't be optimizing that
case in preference to the behavior with a new server, especially when doing
so creates visible behavioral oddities.  Per discussion.
2009-12-02 04:38:35 +00:00
Bruce Momjian
925b32bba1 Enable thread safety
Enable thread safety on all platforms.  This will either be followed up
by a more extensive patch, or reverted, depending on the build farm
results.
2009-12-01 23:02:44 +00:00
Bruce Momjian
b291c0fba8 psql -f -
Adjust psql -f - to behave like a normal file and honor the -1 flag.

Report from Robert Haas
2009-12-01 22:34:33 +00:00
Tom Lane
0d32342501 Teach the regular expression functions to do case-insensitive matching and
locale-dependent character classification properly when the database encoding
is UTF8.

The previous coding worked okay in single-byte encodings, or in any case for
ASCII characters, but failed entirely on multibyte characters.  The fix
assumes that the <wctype.h> functions use Unicode code points as the wchar
representation for Unicode, ie, wchar matches pg_wchar.

This is only a partial solution, since we're still stupid about non-ASCII
characters in multibyte encodings other than UTF8.  The practical effect
of that is limited, however, since those cases are generally Far Eastern
glyphs for which concepts like case-folding don't apply anyway.  Certainly
all or nearly all of the field reports of problems have been about UTF8.
A more general solution would require switching to the platform's wchar
representation for all regex operations; which is possible but would have
substantial disadvantages.  Let's try this and see if it's sufficient in
practice.
2009-12-01 21:00:24 +00:00
Bruce Momjian
ef51395e24 Revert due to Tom's concerns:
Add ProcessUtility_hook() to handle all DDL to
contrib/pg_stat_statements.
2009-12-01 02:31:13 +00:00
Bruce Momjian
d85cb27293 ProcessUtility_hook:
Add ProcessUtility_hook() to handle all DDL to contrib/pg_stat_statements.

Itagaki Takahiro
2009-12-01 01:08:46 +00:00
Bruce Momjian
29fd97d982 hstore docs
Update hstore docs, mostly word-smithing.

David E. Wheeler
2009-11-30 17:56:09 +00:00
Bruce Momjian
891f924bad THREAD_SUPPORT
There is no reference to THREAD_SUPPORT outside configure, and it is
never set, so remove it.
2009-11-30 16:50:38 +00:00
Tom Lane
908854209b Avoid core dump on empty thesaurus dictionary.
Per report from Robert Gravsjö.
2009-11-30 16:38:31 +00:00
Peter Eisentraut
bb1e8bea02 In SRF example, move oldcontext variable definition into the FIRSTCALL
branch, which is how most actual code is actually structured.  Also fix
slight whitespace misalignment.
2009-11-30 15:49:35 +00:00
Bruce Momjian
be64b3edd1 Properly indent SGML. 2009-11-30 14:47:37 +00:00
Tom Lane
67ec9adaf1 Fix session-lifespan memory leak when a plperl function is redefined:
we have to tell Perl it can release its compiled copy of the function
text.  Noted by Alexey Klyukin.

Back-patch to 8.2 --- the problem exists further back, but this patch
won't work without modification, and it's probably not worth the trouble.
2009-11-29 21:02:16 +00:00
Peter Eisentraut
22032820f9 Error when a specified connection service is not found, instead of ignoring it 2009-11-29 20:14:53 +00:00