postgresql/contrib
Tom Lane d5622acb32 Replace usages of xmlXPathCompile() with xmlXPathCtxtCompile().
In existing releases of libxml2, xmlXPathCompile can be driven
to stack overflow because it fails to protect itself against
too-deeply-nested input.  While there is an upstream fix as of
yesterday, it will take years for that to propagate into all
shipping versions.  In the meantime, we can protect our own
usages basically for free by calling xmlXPathCtxtCompile instead.

(The actual bug is that libxml2 keeps its nesting counter in the
xmlXPathContext, and its parsing code was willing to just skip
counting nesting levels if it didn't have a context.  So if we supply
a context, all is well.  It seems odd actually that it works at all
to not supply a context, because this means that XPath parsing does
not have access to XML namespace info.  Apparently libxml2 never
checks namespaces until runtime?  Anyway, this seems like good
future-proofing even if its only immediate effect is to dodge a bug.)

Sadly, this hack only offers protection with libxml2 2.9.11 and newer.
Before that there are multiple similar problems, so if you are
processing untrusted XML it behooves you to get a newer version.
But we have some pretty old libxml2 in the buildfarm, so it seems
impractical to add a regression test to verify this fix.

Per bug #18617 from Jingzhou Fu.  Back-patch to all supported
versions.

Discussion: https://postgr.es/m/18617-1cee4d2ed1f4e7ae@postgresql.org
Discussion: https://gitlab.gnome.org/GNOME/libxml2/-/issues/799
2024-09-15 13:33:09 -04:00
..
amcheck amcheck: Optimize speed of checking for unique constraint violation 2024-07-28 13:50:57 +03:00
auth_delay
auto_explain Add EXPLAIN (MEMORY) to report planner memory consumption 2024-01-29 17:53:03 +01:00
basebackup_to_shell
basic_archive Add built-in ERROR handling for archive callbacks. 2024-04-02 22:28:11 -05:00
bloom Replace gratuitous memmove() with memcpy() 2024-09-11 15:21:36 +02:00
bool_plperl
btree_gin
btree_gist Mark misc static global variables as const 2024-08-06 23:04:48 +03:00
citext Add argument names to the regexp_XXX functions. 2024-07-25 14:51:46 -04:00
cube Include bison header files into implementation files 2024-08-02 10:25:11 +02:00
dblink Don't bother checking the result of SPI_connect[_ext] anymore. 2024-09-09 12:18:34 -04:00
dict_int
dict_xsyn
earthdistance
file_fdw Treat number of disabled nodes in a path as a separate cost metric. 2024-08-21 10:12:30 -04:00
fuzzystrmatch
hstore Optimize escaping of JSON strings 2024-07-27 23:46:07 +12:00
hstore_plperl
hstore_plpython
intagg
intarray Use new overflow-safe integer comparison functions. 2024-02-16 14:05:36 -06:00
isn Convert some extern variables to static 2024-07-02 07:26:22 +02:00
jsonb_plperl
jsonb_plpython
lo
ltree Add hash support functions and hash opclass for contrib/ltree. 2024-03-21 18:27:49 -04:00
ltree_plpython
oid2name Apply more quoting to GUC names in messages 2024-09-04 13:50:44 +09:00
pageinspect Fix contrib/pageinspect's test for sequences. 2024-09-13 10:16:40 -05:00
passwordcheck
pg_buffercache Add pg_buffercache_evict() function for testing. 2024-04-08 16:23:40 +12:00
pg_freespacemap
pg_prewarm Add block_range_read_stream_cb(), to deduplicate code. 2024-09-03 10:46:20 -07:00
pg_stat_statements Remove obsolete comment in pg_stat_statements. 2024-09-14 11:42:31 -04:00
pg_surgery Error message capitalisation 2024-01-18 09:35:12 +01:00
pg_trgm Use new overflow-safe integer comparison functions. 2024-02-16 14:05:36 -06:00
pg_visibility Optimize pg_visibility with read streams. 2024-09-10 15:21:33 -07:00
pg_walinspect Assign error codes where missing for user-facing failures 2024-07-04 09:48:40 +09:00
pgcrypto Remove support for OpenSSL older than 1.1.0 2024-09-02 13:51:48 +02:00
pgrowlocks
pgstattuple Reintroduce support for sequences in pgstattuple and pageinspect. 2024-09-12 16:31:29 -05:00
postgres_fdw Make postgres_fdw's query_cancel test less flaky. 2024-08-30 16:47:39 -04:00
seg Include bison header files into implementation files 2024-08-02 10:25:11 +02:00
sepgsql Revise GUC names quoting in messages again 2024-05-17 11:44:26 +02:00
spi Don't bother checking the result of SPI_connect[_ext] anymore. 2024-09-09 12:18:34 -04:00
sslinfo Revert "Add notBefore and notAfter to SSL cert info display" 2024-03-22 22:58:41 +01:00
start-scripts
tablefunc Don't bother checking the result of SPI_connect[_ext] anymore. 2024-09-09 12:18:34 -04:00
tcn
test_decoding Fix typos and grammar in code comments and docs 2024-09-03 14:49:04 +09:00
tsm_system_rows
tsm_system_time
unaccent Add simple codepoint redirections to unaccent.rules. 2024-07-05 15:25:31 +12:00
uuid-ossp Make the order of the header file includes consistent 2024-03-13 15:07:00 +01:00
vacuumlo Apply more quoting to GUC names in messages 2024-09-04 13:50:44 +09:00
xml2 Replace usages of xmlXPathCompile() with xmlXPathCtxtCompile(). 2024-09-15 13:33:09 -04:00
contrib-global.mk
Makefile Remove the adminpack contrib extension 2024-03-04 12:39:22 +01:00
meson.build Remove the adminpack contrib extension 2024-03-04 12:39:22 +01:00
README

The PostgreSQL contrib tree
---------------------------

This subtree contains porting tools, analysis utilities, and plug-in
features that are not part of the core PostgreSQL system, mainly
because they address a limited audience or are too experimental to be
part of the main source tree.  This does not preclude their
usefulness.

User documentation for each module appears in the main SGML
documentation.

When building from the source distribution, these modules are not
built automatically, unless you build the "world" target.  You can
also build and install them all by running "make all" and "make
install" in this directory; or to build and install just one selected
module, do the same in that module's subdirectory.

Some directories supply new user-defined functions, operators, or
types.  To make use of one of these modules, after you have installed
the code you need to register the new SQL objects in the database
system by executing a CREATE EXTENSION command.  In a fresh database,
you can simply do

    CREATE EXTENSION module_name;

See the PostgreSQL documentation for more information about this
procedure.