Commit Graph

8883 Commits

Author SHA1 Message Date
Tom Lane
adc97d03b9 Prevent access to external files/URLs via contrib/xml2's xslt_process().
libxslt offers the ability to read and write both files and URLs through
stylesheet commands, thus allowing unprivileged database users to both read
and write data with the privileges of the database server.  Disable that
through proper use of libxslt's security options.

Also, remove xslt_process()'s ability to fetch documents and stylesheets
from external files/URLs.  While this was a documented "feature", it was
long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
capability, and rather than expend effort on trying to fix it, we're just
going to summarily remove it.

While the ability to write as well as read makes this security hole
considerably worse than CVE-2012-3489, the problem is mitigated by the fact
that xslt_process() is not available unless contrib/xml2 is installed,
and the longstanding warnings about security risks from that should have
discouraged prudent DBAs from installing it in security-exposed databases.

Reported and fixed by Peter Eisentraut.

Security: CVE-2012-3488
2012-08-14 18:31:18 -04:00
Bruce Momjian
1d96cf9404 In documentation, change "recommendable" to "recommended", per
consultation with word definitions.

Backpatch to 9.2.
2012-08-14 12:36:48 -04:00
Tom Lane
83af58f6b5 Add link from COPY ref page to psql \copy.
Jeff Janes
2012-08-11 13:51:22 -04:00
Tom Lane
c9b0cbe98b Support having multiple Unix-domain sockets per postmaster.
Replace unix_socket_directory with unix_socket_directories, which is a list
of socket directories, and adjust postmaster's code to allow zero or more
Unix-domain sockets to be created.

This is mostly a straightforward change, but since the Unix sockets ought
to be created after the TCP/IP sockets for safety reasons (better chance
of detecting a port number conflict), AddToDataDirLockFile needs to be
fixed to support out-of-order updates of data directory lockfile lines.
That's a change that had been foreseen to be necessary someday anyway.

Honza Horak, reviewed and revised by Tom Lane
2012-08-10 17:27:15 -04:00
Magnus Hagander
b3055ab4fb Fix upper limit of superuser_reserved_connections, add limit for wal_senders
Should be limited to the maximum number of connections excluding
autovacuum workers, not including.

Add similar check for max_wal_senders, which should never be higher than
max_connections.
2012-08-10 14:50:45 +02:00
Robert Haas
be690e291d Make psql -1 < file behave as expected.
Previously, the -1 option was silently ignored.

Also, emit an error if -1 is used in a context where it won't be
respected, to avoid user confusion.

Original patch by Fabien COELHO, but this version is quite different
from the original submission.
2012-08-09 10:02:50 -04:00
Simon Riggs
42020a89c7 Doc correction to point out that 9.2+ can overwrite pg_xlog files.
Noted by Noah Misch, patch by Fujii Masao
2012-08-08 22:34:46 +01:00
Tom Lane
5ebaaa4944 Implement SQL-standard LATERAL subqueries.
This patch implements the standard syntax of LATERAL attached to a
sub-SELECT in FROM, and also allows LATERAL attached to a function in FROM,
since set-returning function calls are expected to be one of the principal
use-cases.

The main change here is a rewrite of the mechanism for keeping track of
which relations are visible for column references while the FROM clause is
being scanned.  The parser "namespace" lists are no longer lists of bare
RTEs, but are lists of ParseNamespaceItem structs, which carry an RTE
pointer as well as some visibility-controlling flags.  Aside from
supporting LATERAL correctly, this lets us get rid of the ancient hacks
that required rechecking subqueries and JOIN/ON and function-in-FROM
expressions for invalid references after they were initially parsed.
Invalid column references are now always correctly detected on sight.

In passing, remove assorted parser error checks that are now dead code by
virtue of our having gotten rid of add_missing_from, as well as some
comments that are obsolete for the same reason.  (It was mainly
add_missing_from that caused so much fudging here in the first place.)

The planner support for this feature is very minimal, and will be improved
in future patches.  It works well enough for testing purposes, though.

catversion bump forced due to new field in RangeTblEntry.
2012-08-07 19:02:54 -04:00
Bruce Momjian
ac78c4178b Fix to_char(), to_date(), and to_timestamp() to handle negative/BC
century specifications just like positive/AD centuries.  Previously the
behavior was either wrong or inconsistent with positive/AD handling.

Centuries without years now always assume the first year of the century,
which is now documented.
2012-08-07 13:34:44 -04:00
Robert Haas
b112df8421 Typo fixes for previous commit.
Noted by Thom Brown.
2012-08-06 16:12:17 -04:00
Robert Haas
95282d3522 Warn more vigorously about the non-transactional behavior of sequences.
Craig Ringer, edited fairly heavily by me
2012-08-06 15:19:31 -04:00
Bruce Momjian
4639432597 Reword documentation for concurrent index rebuilds to be clearer.
Backpatch to 9.1 and 9.2.
2012-08-04 10:35:47 -04:00
Bruce Momjian
95e750520c Add link to synchronous_commit variables in high availability docs.
Backpatch to 9.2

Erik Rijkers
2012-08-03 16:33:20 -04:00
Bruce Momjian
9fb5952cdf Document that trying to exceed temp_file_limit causes a query cancel.
Backpatch to 9.2.
2012-08-03 15:15:27 -04:00
Bruce Momjian
7b8c798362 Document that, for psql -c, only the result of the last command is
returned, per report from Aleksey Tsalolikhin

Backpatch to 9.2 and 9.1.
2012-08-03 14:02:22 -04:00
Tom Lane
7719ed04bc Update release notes for libpq feature change. 2012-08-02 13:21:19 -04:00
Tom Lane
41b9c8452b Replace libpq's "row processor" API with a "single row" mode.
After taking awhile to digest the row-processor feature that was added to
libpq in commit 92785dac2e, we've concluded
it is over-complicated and too hard to use.  Leave the core infrastructure
changes in place (that is, there's still a row processor function inside
libpq), but remove the exposed API pieces, and instead provide a "single
row" mode switch that causes PQgetResult to return one row at a time in
separate PGresult objects.

This approach incurs more overhead than proper use of a row processor
callback would, since construction of a PGresult per row adds extra cycles.
However, it is far easier to use and harder to break.  The single-row mode
still affords applications the primary benefit that the row processor API
was meant to provide, namely not having to accumulate large result sets in
memory before processing them.  Preliminary testing suggests that we can
probably buy back most of the extra cycles by micro-optimizing construction
of the extra results, but that task will be left for another day.

Marko Kreen
2012-08-02 13:10:30 -04:00
Tom Lane
7c0fecdaef Add documentation cross-reference for JSON functions.
Thom Brown
2012-08-01 00:41:41 -04:00
Alvaro Herrera
2f29f011c8 pg_basebackup: stylistic adjustments
The most user-visible part of this is to change the long options
--statusint and --noloop to --status-interval and --no-loop,
respectively, per discussion.

Also, consistently enclose file names in double quotes, per our
conventions; and consistently use the term "transaction log file" to
talk about WAL segments.  (Someday we may need to go over this
terminology and make it consistent across the whole source code.)

Finally, reflow the code to better fit in 80 columns, and have pgindent
fix it up some more.
2012-07-31 11:02:39 -04:00
Bruce Momjian
04d2956f0d Now that the diskchecker.pl author has updated the download link on his
website, revert the separate link to the download git repository.

Backpatch from 9.0 to current.
2012-07-30 10:15:57 -04:00
Bruce Momjian
c9a2532c83 Update doc mention of diskchecker.pl to add URL for script; retain URL
for description.

Patch to 9.0 and later, where script is mentioned.
2012-07-26 21:25:26 -04:00
Bruce Momjian
69451b0968 Document that the pg_upgrade user of rsync might want to skip some
files, like postmaster.pid.

Backpatch to 9.2.
2012-07-26 14:30:24 -04:00
Peter Eisentraut
08d715a2d4 Document that pg_basebackup will create its output directory 2012-07-25 22:00:00 +03:00
Alvaro Herrera
d7b47e5155 Change syntax of new CHECK NO INHERIT constraints
The initially implemented syntax, "CHECK NO INHERIT (expr)" was not
deemed very good, so switch to "CHECK (expr) NO INHERIT" instead.  This
way it looks similar to SQL-standards compliant constraint attribute.

Backport to 9.2 where the new syntax and feature was introduced.

Per discussion.
2012-07-24 16:01:32 -04:00
Robert Haas
46b2b7e0ff Make pgbench vacuum before building indexes.
This is apparently faster than doing things the other way around when
the scale factor is large.

Along the way, adjust -n to suppress vacuuming during initialization
as well as during test runs.

Jeff Janes, with some small changes by me.
2012-07-23 14:42:35 -04:00
Robert Haas
3a0e4d36eb Make new event trigger facility actually do something.
Commit 3855968f32 added syntax, pg_dump,
psql support, and documentation, but the triggers didn't actually fire.
With this commit, they now do.  This is still a pretty basic facility
overall because event triggers do not get a whole lot of information
about what the user is trying to do unless you write them in C; and
there's still no option to fire them anywhere except at the very
beginning of the execution sequence, but it's better than nothing,
and a good building block for future work.

Along the way, add a regression test for ALTER LARGE OBJECT, since
testing of event triggers reveals that we haven't got one.

Dimitri Fontaine and Robert Haas
2012-07-20 11:39:01 -04:00
Robert Haas
3855968f32 Syntax support and documentation for event triggers.
They don't actually do anything yet; that will get fixed in a
follow-on commit.  But this gets the basic infrastructure in place,
including CREATE/ALTER/DROP EVENT TRIGGER; support for COMMENT,
SECURITY LABEL, and ALTER EXTENSION .. ADD/DROP EVENT TRIGGER;
pg_dump and psql support; and documentation for the anticipated
initial feature set.

Dimitri Fontaine, with review and a bunch of additional hacking by me.
Thom Brown extensively reviewed earlier versions of this patch set,
but there's not a whole lot of that code left in this commit, as it
turns out.
2012-07-18 10:16:16 -04:00
Peter Eisentraut
d6ce58c010 Show step titles in the pg_upgrade man page
The upstream XSLT stylesheets missed that case.

found by Álvaro Herrera
2012-07-17 21:34:22 +03:00
Peter Eisentraut
8e708e5e36 Add link to PEP 394 regarding python2 vs python3 naming 2012-07-14 13:06:09 +03:00
Tom Lane
b966dd6c42 Add fsync capability to initdb, and use sync_file_range() if available.
Historically we have not worried about fsync'ing anything during initdb
(in fact, initdb intentionally passes -F to each backend launch to prevent
it from fsync'ing).  But with filesystems getting more aggressive about
caching data, that's not such a good plan anymore.  Make initdb do a pass
over the finished data directory tree to fsync everything.  For testing
purposes, the -N/--nosync flag can be used to restore the old behavior.

Also, testing shows that on Linux, sync_file_range() is much faster than
posix_fadvise() for hinting to the kernel that an fsync is coming,
apparently because the latter blocks on a rather small request queue while
the former doesn't.  So use this function if available in initdb, and also
in the backend's pg_flush_data() (where it currently will affect only the
speed of CREATE DATABASE's cloning step).

We will later make pg_regress invoke initdb with the --nosync flag
to avoid slowing down cases such as "make check" in contrib.  But
let's not do so until we've shaken out any portability issues in this
patch.

Jeff Davis, reviewed by Andres Freund
2012-07-13 17:16:58 -04:00
Tom Lane
84a42560c8 Add array_remove() and array_replace() functions.
These functions support removing or replacing array element value(s)
matching a given search value.  Although intended mainly to support a
future array-foreign-key feature, they seem useful in their own right.

Marco Nenciarini and Gabriele Bartolini, reviewed by Alex Hunsaker
2012-07-11 13:59:35 -04:00
Bruce Momjian
f9951252db Document that Log-Shipping Standby Servers cannot be upgraded by
pg_upgrade.

Backpatch to 9.2.
2012-07-10 23:08:19 -04:00
Bruce Momjian
042d9ffc28 Run newly-configured perltidy script on Perl files.
Run on HEAD and 9.2.
2012-07-04 21:47:49 -04:00
Robert Haas
d7c734841b Reduce messages about implicit indexes and sequences to DEBUG1.
Per recent discussion on pgsql-hackers, these messages are too
chatty for most users.
2012-07-04 20:35:29 -04:00
Robert Haas
0fc32c00d7 Fix sample INSTR function to return 0 if third arg is 0.
Albe Laurenz, per a report by Greg Smith that our sample function
doesn't quite match Oracle's behavior.
2012-07-04 17:19:23 -04:00
Robert Haas
248b5fce06 More doc cleanups for recent shared memory changes.
Josh Kupershmidt
2012-07-04 15:57:48 -04:00
Robert Haas
390bfc643d Documentation cleanups for recent shared memory changes. 2012-07-04 15:56:12 -04:00
Magnus Hagander
817d870cf9 Remove reference to default wal_buffers being 8
This hasn't been true since 9.1, when the default was changed to -1.
Remove the reference completely, keeping the discussion of the parameter
and it's shared memory effects on the config page.
2012-07-04 09:23:51 +02:00
Magnus Hagander
51fc406819 Remove references to pgfoundry as recommended hosting platform
pgfoundry is deprectaed and no longer accepting new projects,
so we really shouldn't be directing people there.
2012-07-04 08:59:35 +02:00
Magnus Hagander
d80785e6ed Remove references to PostgreSQL bundled on Solaris
Also remove special references to downloads off pgfoundry since they are
not correct - downloads are done through the main website.
2012-07-04 08:58:31 +02:00
Robert Haas
f11e8be3e8 Make commit_delay much smarter.
Instead of letting every backend participating in a group commit wait
independently, have the first one that becomes ready to flush WAL wait
for the configured delay, and let all the others wait just long enough
for that first process to complete its flush.  This greatly increases
the chances of being able to configure a commit_delay setting that
actually improves performance.

As a side consequence of this change, commit_delay now affects all WAL
flushes, rather than just commits.  There was some discussion on
pgsql-hackers about whether to rename the GUC to, say, wal_flush_delay,
but in the absence of consensus I am leaving it alone for now.

Peter Geoghegan, with some changes, mostly to the documentation, by me.
2012-07-02 10:26:31 -04:00
Robert Haas
7700b82e6b Update release notes for pg_terminate_backend changes. 2012-06-27 08:44:50 -04:00
Robert Haas
c60ca19de9 Allow pg_terminate_backend() to be used on backends with matching role.
A similar change was made previously for pg_cancel_backend, so now it
all matches again.

Dan Farina, reviewed by Fujii Masao, Noah Misch, and Jeff Davis,
with slight kibitzing on the doc changes by me.
2012-06-26 16:16:52 -04:00
Heikki Linnakangas
038f3a0509 Fix pg_upgrade, broken by the xlogid/segno -> 64-bit int refactoring.
The xlogid + segno representation of a particular WAL segment doesn't make
much sense in pg_resetxlog anymore, now that we don't use that anywhere
else. Use the WAL filename instead, since that's a convenient way to name a
particular WAL segment.

I did this partially for pg_resetxlog in the original xlogid/segno -> uint64
patch, but I neglected pg_upgrade and the docs. This should now be more
complete.
2012-06-26 07:49:02 +03:00
Peter Eisentraut
b8b2e3b2de Replace int2/int4 in C code with int16/int32
The latter was already the dominant use, and it's preferable because
in C the convention is that intXX means XX bits.  Therefore, allowing
mixed use of int2, int4, int8, int16, int32 is obviously confusing.

Remove the typedefs for int2 and int4 for now.  They don't seem to be
widely used outside of the PostgreSQL source tree, and the few uses
can probably be cleaned up by the time this ships.
2012-06-25 01:51:46 +03:00
Robert Haas
6ef5baf8b1 Document that && can be used to search arrays.
Also, add some cross-links to the indexing documentation, so it's easier
to notice that && and other array operators have index support.

Ryan Kelly, edited by me.
2012-06-22 08:59:41 -04:00
Peter Eisentraut
6753ced310 Make placeholders in SQL command help more consistent and precise
To avoid divergent names on related pages, avoid ambiguities, and
reduce translation work a little.
2012-06-22 01:06:14 +03:00
Tom Lane
afe1c51c9d Add pgbench option to add foreign key constraints to the standard scenario.
The option --foreign-keys, used at initialization time, will create foreign
key constraints for the columns that represent references to other tables'
primary keys.  This can help in benchmarking FK performance.

Jeff Janes
2012-06-19 18:33:59 -04:00
Peter Eisentraut
c521665bd7 Remove confusing half sentence from legal notice
pointed out by Stefan Kaltenbrunner
2012-06-20 00:12:05 +03:00
Tom Lane
c75be2ad60 Change ON UPDATE SET NULL/SET DEFAULT referential actions to meet SQL spec.
Previously, when executing an ON UPDATE SET NULL or SET DEFAULT action for
a multicolumn MATCH SIMPLE foreign key constraint, we would set only those
referencing columns corresponding to referenced columns that were changed.
This is what the SQL92 standard said to do --- but more recent versions
of the standard say that all referencing columns should be set to null or
their default values, no matter exactly which referenced columns changed.
At least for SET DEFAULT, that is clearly saner behavior.  It's somewhat
debatable whether it's an improvement for SET NULL, but it appears that
other RDBMS systems read the spec this way.  So let's do it like that.

This is a release-notable behavioral change, although considering that
our documentation already implied it was done this way, the lack of
complaints suggests few people use such cases.
2012-06-18 12:12:52 -04:00