Commit Graph

29941 Commits

Author SHA1 Message Date
Tom Lane
20db9591b2 Update release notes with security issues.
Security: CVE-2010-1169, CVE-2010-1170
2010-05-13 21:26:59 +00:00
Tom Lane
4b8c969c74 Use an entity instead of non-ASCII letter. Thom Brown 2010-05-13 19:16:14 +00:00
Tom Lane
a4bbfb1aac Use "TOAST table" in place of the vague, not-used-elsewhere phrase
"supplementary storage table".
2010-05-13 18:54:18 +00:00
Tom Lane
9ead05b7c3 Prevent PL/Tcl from loading the "unknown" module from pltcl_modules unless
that is a regular table or view owned by a superuser.  This prevents a
trojan horse attack whereby any unprivileged SQL user could create such a
table and insert code into it that would then get executed in other users'
sessions whenever they call pltcl functions.

Worse yet, because the code was automatically loaded into both the "normal"
and "safe" interpreters at first use, the attacker could execute unrestricted
Tcl code in the "normal" interpreter without there being any pltclu functions
anywhere, or indeed anyone else using pltcl at all: installing pltcl is
sufficient to open the hole.  Change the initialization logic so that the
"unknown" code is only loaded into an interpreter when the interpreter is
first really used.  (That doesn't add any additional security in this
particular context, but it seems a prudent change, and anyway the former
behavior violated the principle of least astonishment.)

Security: CVE-2010-1170
2010-05-13 18:29:12 +00:00
Andrew Dunstan
1f474d299d Abandon the use of Perl's Safe.pm to enforce restrictions in plperl, as it is
fundamentally insecure. Instead apply an opmask to the whole interpreter that
imposes restrictions on unsafe operations. These restrictions are much harder
to subvert than is Safe.pm, since there is no container to be broken out of.
Backported to release 7.4.

In releases 7.4, 8.0 and 8.1 this also includes the necessary backporting of
the two interpreters model for plperl and plperlu adopted in release 8.2.

In versions 8.0 and up, the use of Perl's POSIX module to undo its locale
mangling on Windows has become insecure with these changes, so it is
replaced by our own routine, which is also faster.

Nice side effects of the changes include that it is now possible to use perl's
"strict" pragma in a natural way in plperl, and that perl's $a and
$b variables now work as expected in sort routines, and that function
compilation is significantly faster.

Tim Bunce and Andrew Dunstan, with reviews from Alex Hunsaker and
Alexey Klyukin.

Security: CVE-2010-1169
2010-05-13 16:39:43 +00:00
Magnus Hagander
2b61b3e507 Assorted fixes to make pg_upgrade build on MSVC.
* There is no chmod() on Windows.
* Must always use the 3-parameter version of open()
* There is no dynloader.h - but it also appears unnecessary on all platforms
* Don't include shlobj.h because it causes compile errors, and from what I can
  see it's not actually used. This may need to be added back for mingw
  and/or cygwin in the worst case.
2010-05-13 15:58:15 +00:00
Peter Eisentraut
f1ac08daee Translation update 2010-05-13 15:56:43 +00:00
Magnus Hagander
12bc72db60 Properly support multi-line entires (such as OBJS=) when building
PROGRAM, not just MODULE, in contrib.
2010-05-13 15:56:22 +00:00
Bruce Momjian
10d66ac8f6 Comment out EnterpriseDB Advanced Server mention in SGML docs. 2010-05-13 15:03:24 +00:00
Peter Eisentraut
74d770a895 Avoid error from mkdir if no languages are to be installed
mkinstalldirs used to handle no arguments, but mkdir doesn't.

Also remove the .SILENT setting, that was previously removed from
Makefile.global as well.
2010-05-13 14:35:28 +00:00
Magnus Hagander
4cb7536c6b Fix some spelling errors.
Thom Brown
2010-05-13 14:16:41 +00:00
Andrew Dunstan
52d0b49f5e Add missing library and include support for pg_upgrade to MSVC build system. 2010-05-13 13:40:03 +00:00
Bruce Momjian
092c36ef99 Fix HISTORY.html build using </link>, not </>. 2010-05-13 12:47:50 +00:00
Peter Eisentraut
3393551d54 Fix vpath installation from distribution tarball (bug #5447) 2010-05-13 11:49:48 +00:00
Simon Riggs
463f151a23 Ensure that top level aborts call XLogSetAsyncCommit(). Not doing
so simply leads to data waiting in wal_buffers which then causes
later commits to potentially do emergency writes and for all forms
of replication to be potentially delayed without need or benefit.
Issue pointed out exactly by Fujii Masao, following bug report
by Robert Haas on a separate though related topic.
2010-05-13 11:39:30 +00:00
Simon Riggs
8431e296ea Cleanup initialization of Hot Standby. Clarify working with reanalysis
of requirements and documentation on LogStandbySnapshot(). Fixes
two minor bugs reported by Tom Lane that would lead to an incorrect
snapshot after transaction wraparound. Also fix two other problems
discovered that would give incorrect snapshots in certain cases.
ProcArrayApplyRecoveryInfo() substantially rewritten. Some minor
refactoring of xact_redo_apply() and ExpireTreeKnownAssignedTransactionIds().
2010-05-13 11:15:38 +00:00
Tom Lane
c2e7f78abe Fix wrong subdir. Per buildfarm. 2010-05-13 05:17:16 +00:00
Bruce Momjian
d8c311c379 Update release notes to current. 2010-05-13 01:57:01 +00:00
Bruce Momjian
9885206cab Move pg_upgrade shared library out into its own /contrib directory
(pg_upgrade_support).
2010-05-13 01:03:01 +00:00
Bruce Momjian
c7c012ce56 Update comment about why postmaster doesn't get an icon. 2010-05-12 23:48:36 +00:00
Tom Lane
8aad797362 Preliminary release notes for releases 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25,
7.4.29.
2010-05-12 23:20:49 +00:00
Bruce Momjian
0c6b9308de Remove Makefile PGFILEDESC tag that the postmaster is an executable. 2010-05-12 21:42:21 +00:00
Simon Riggs
66035734ec Give most recovery conflict errors a retryable error code. From recent
requests and discussions with Yeb Havinga and Kevin Grittner.
2010-05-12 19:45:02 +00:00
Tom Lane
44e55690fd Hook pg_upgrade into the contrib makefile structure so it gets built
on the buildfarm.
2010-05-12 16:50:58 +00:00
Peter Eisentraut
087b393dab Update config.guess and config.sub 2010-05-12 16:50:57 +00:00
Tom Lane
c9c25a982c Clean up unnecessary unportability and compiler warnings by removing the
cmp parameter for pg_scandir().  The code failed to support this anyway
for Sun/Windows, so pretending we could accept a parameter other than
NULL was just asking for trouble.
2010-05-12 16:50:00 +00:00
Bruce Momjian
b460b5cd11 Move pg_upgrade TODO to TODO wiki. 2010-05-12 13:59:21 +00:00
Bruce Momjian
395d1259ad Add PGFILEDESC description to Makefiles for all /contrib executables.
Add PGAPPICON to all executable makefiles.
2010-05-12 11:33:10 +00:00
Bruce Momjian
561afa534d Small formatting adjustment. 2010-05-12 11:07:24 +00:00
Bruce Momjian
a898199df5 Add pg_upgrade IMPLEMENTATION file to CVS. 2010-05-12 02:24:43 +00:00
Bruce Momjian
6c4a98d99c Add TODO file to CVS. 2010-05-12 02:23:56 +00:00
Bruce Momjian
c2e9b2f288 Add pg_upgrade to /contrib; will be in 9.0 beta2.
Add documentation.

Supports migration from PG 8.3 and 8.4.
2010-05-12 02:19:11 +00:00
Tom Lane
28e1742217 Update time zone data files to tzdata release 2010j: DST law changes in
Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan,
Palestine, Russia, Syria, Tunisia.  Historical corrections for Taiwan.
2010-05-11 23:01:27 +00:00
Tom Lane
af9a54b663 Add PKST to the default set of timezone abbreviations.
Per discussion, if we have PKT in there then PKST should be too.
Also, fix mistaken claim that these abbrevs are not known to zic.
2010-05-11 22:36:52 +00:00
Robert Haas
dd6fcd35e3 Change typedef for rb_appendator to avoid conflict with C++ reserved words.
Fixes a complaint from src/tools/pginclude/cpluspluscheck reported by
Peter Eisentraut.
2010-05-11 18:14:01 +00:00
Tom Lane
4a69624f49 Cause the archiver process to adopt new postgresql.conf settings (particularly
archive_command) as soon as possible, namely just before issuing a new call
of archive_command, even when there is a backlog of files to be archived.
The original coding would only absorb new settings after clearing the backlog
and returning to the outer loop.  Per discussion.

Back-patch to 8.3.  The logic in prior versions is a bit different and it
doesn't seem worth taking any risks of breaking it.
2010-05-11 16:42:28 +00:00
Robert Haas
8b8009a20d Mention related ALTER TABLE variants in documentation for CLUSTER.
As suggested by Andy Lester.
2010-05-11 16:07:42 +00:00
Tom Lane
b7987f8a94 Fix incorrect patch that removed permission checks on inheritance child
tables --- the parent table no longer got checked, either.  Per bug #5458
from Takahiro Itagaki.
2010-05-11 15:31:37 +00:00
Itagaki Takahiro
5d6d037822 Set per-function GUC settings during validating the function.
Now validators work properly even when the settings contain
parameters that affect behavior of the function, like search_path.

Reported by Erwin Brandstetter.
2010-05-11 04:52:28 +00:00
Tom Lane
ed83f6e382 When adding a "target IS NOT NULL" indexqual to the plan for an index-optimized
MIN or MAX, we must take care to insert the added qual in a legal place among
the existing indexquals, if any.  The btree index AM requires the quals to
appear in index-column order.  We didn't have to worry about this before
because "target IS NOT NULL" was just treated as a plain scan filter condition;
but as of 9.0 it can be an index qual and then it has to follow the rule.
Per report from Ian Barwick.
2010-05-10 16:25:46 +00:00
Tom Lane
7fdbb8e353 Suppress signed-vs-unsigned-char warning. 2010-05-09 18:17:47 +00:00
Tom Lane
2ea56cbda6 Fix missing static declaration for XLogRead(). 2010-05-09 18:11:55 +00:00
Tom Lane
4768fd3fd8 Fix typo: PGTYPES_NUM_OVERFLOW should be PGTYPES_NUM_UNDERFLOW.
Noted by KOIZUMI Satoru.
2010-05-09 16:30:31 +00:00
Tom Lane
ed437e2b27 Adjust comments about avoiding use of printf's %.*s.
My initial impression that glibc was measuring the precision in characters
(which is what the Linux man page says it does) was incorrect.  It does take
the precision to be in bytes, but it also tries to truncate the string at a
character boundary.  The bottom line remains the same: it will mess up
if the string is not in the encoding it expects, so we need to avoid %.*s
anytime there's a significant risk of that.  Previous code changes are still
good, but adjust the comments to reflect this knowledge.  Per research by
Hernan Gonzalez.
2010-05-09 02:16:00 +00:00
Tom Lane
54cd4f0457 Work around a subtle portability problem in use of printf %s format.
Depending on which spec you read, field widths and precisions in %s may be
counted either in bytes or characters.  Our code was assuming bytes, which
is wrong at least for glibc's implementation, and in any case libc might
have a different idea of the prevailing encoding than we do.  Hence, for
portable results we must avoid using anything more complex than just "%s"
unless the string to be printed is known to be all-ASCII.

This patch fixes the cases I could find, including the psql formatting
failure reported by Hernan Gonzalez.  In HEAD only, I also added comments
to some places where it appears safe to continue using "%.*s".
2010-05-08 16:39:53 +00:00
Michael Meskes
71a185a24d ECPG connect routine only checked for NULL to find empty parameters, but user and password can also be "". 2010-05-07 19:35:03 +00:00
Tom Lane
cd86869a9a On Linux, use --enable-new-dtags when specifying -rpath to linker.
This should allow LD_LIBRARY_PATH to work as desired.  Per trouble
report from Andy Colson.
2010-05-06 19:28:25 +00:00
Itagaki Takahiro
72ee670323 Code page for EUC-KR is surely 51949. 2010-05-06 02:12:38 +00:00
Tom Lane
93dc6a1b39 Fix psql to not go into infinite recursion when expanding a variable that
refers to itself (directly or indirectly).  Instead, print a message when
recursion is detected, and don't expand the repeated reference.  Per bug
#5448 from Francis Markham.

Back-patch to 8.0.  Although the issue exists in 7.4 as well, it seems
impractical to fix there because of the lack of any state stack that
could be used to track active expansions.
2010-05-05 22:18:56 +00:00
Heikki Linnakangas
1ba23f767b Fix incorrect parameter tag in docs, spotted by KOIZUMI Satoru. 2010-05-05 15:10:25 +00:00