| d419ce4 | Tom Lane | 03 January 2008, 21:41:24 UTC | Stamp release 8.1.11. Security: CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601 | 03 January 2008, 21:41:24 UTC |
| bf4d342 | Tom Lane | 03 January 2008, 21:35:49 UTC | Update release notes for security releases. Security: CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601 | 03 January 2008, 21:35:49 UTC |
| 148bd52 | Tom Lane | 03 January 2008, 21:28:30 UTC | The original patch to disallow non-passworded connections to non-superusers failed to cover all the ways in which a connection can be initiated in dblink. Plug the remaining holes. Also, disallow transient connections in functions for which that feature makes no sense (because they are only sensible as part of a sequence of operations on the same connection). Joe Conway Security: CVE-2007-6601 | 03 January 2008, 21:28:30 UTC |
| 46cf9c2 | Tom Lane | 03 January 2008, 21:24:26 UTC | Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600 | 03 January 2008, 21:24:26 UTC |
| 8b1de3b | Tom Lane | 03 January 2008, 20:48:57 UTC | Fix assorted security-grade bugs in the regex engine. All of these problems are shared with Tcl, since it's their code to begin with, and the patches have been copied from Tcl 8.5.0. Problems: CVE-2007-4769: Inadequate check on the range of backref numbers allows crash due to out-of-bounds read. CVE-2007-4772: Infinite loop in regex optimizer for pattern '($|^)*'. CVE-2007-6067: Very slow optimizer cleanup for regex with a large NFA representation, as well as crash if we encounter an out-of-memory condition during NFA construction. Part of the response to CVE-2007-6067 is to put a limit on the number of states in the NFA representation of a regex. This seems needed even though the within-the-code problems have been corrected, since otherwise the code could try to use very large amounts of memory for a suitably-crafted regex, leading to potential DOS by driving the system into swap, activating a kernel OOM killer, etc. Although there are certainly plenty of ways to drive the system into effective DOS with poorly-written SQL queries, these problems seem worth treating as security issues because many applications might accept regex search patterns from untrustworthy sources. Thanks to Will Drewry of Google for reporting these problems. Patches by Will Drewry and Tom Lane. Security: CVE-2007-4769, CVE-2007-4772, CVE-2007-6067 | 03 January 2008, 20:48:57 UTC |
| 5ddd11b | Tom Lane | 02 January 2008, 22:05:21 UTC | Insert ARST into the list of known timezone abbreviations. | 02 January 2008, 22:05:21 UTC |
| af3de80 | Magnus Hagander | 02 January 2008, 19:53:19 UTC | Fix invalid ipv6 address in example. Per doc comment 7211. | 02 January 2008, 19:53:19 UTC |
| a634642 | Tom Lane | 01 January 2008, 20:45:25 UTC | Update time zone data files to tzdata release 2007k. | 01 January 2008, 20:45:25 UTC |
| 8cc2397 | Bruce Momjian | 31 December 2007, 17:28:12 UTC | Provide a more helpful error message when there is an autoconf version mismatch; backpatch. | 31 December 2007, 17:28:12 UTC |
| 5a351b6 | Tom Lane | 18 December 2007, 00:04:22 UTC | Make path_recv() and poly_recv() reject paths/polygons containing no points. The zero-point case is sensible so far as the data structure is concerned, so maybe we ought to allow it sometime; but right now the textual input routines for these types don't allow it, and it seems that not all the functions for the types are prepared to cope. Report and patch by Merlin Moncure. | 18 December 2007, 00:04:22 UTC |
| 3c92d5f | Tom Lane | 01 December 2007, 17:58:54 UTC | Suppress compiler warnings in recent plperl patch. Avoid uselessly expensive lookup of the well-known OID of textout(). | 01 December 2007, 17:58:54 UTC |
| 63276b7 | Andrew Dunstan | 01 December 2007, 15:39:49 UTC | Workaround for perl problem where evaluating UTF8 regexes can cause implicit loading of modules, thereby breaking Safe rules. We compile and call a tiny perl function on trusted interpreter init, after which the problem does not occur. | 01 December 2007, 15:39:49 UTC |
| f575dfc | Peter Eisentraut | 26 November 2007, 12:27:03 UTC | Require a specific Autoconf version, instead of a lower bound only. | 26 November 2007, 12:27:03 UTC |
| 4bf3801 | Alvaro Herrera | 23 November 2007, 01:47:12 UTC | Fix buggy usage of vsnprintf in PL/Python by removing it altogether, instead relying on stringinfo.c. This fixes a problem reported by Marko Kreen, but I didn't use his patch, per subsequent discussion. | 23 November 2007, 01:47:12 UTC |
| d4becb6 | Tatsuo Ishii | 23 November 2007, 00:30:58 UTC | Fix "Overall Page Layout" table. The second row should be ItemIdData, not ItemPointerData. | 23 November 2007, 00:30:58 UTC |
| 80848c0 | Tom Lane | 22 November 2007, 17:47:40 UTC | Prevent Perl from introducing a possibly-incompatible definition of type "bool" into plperl.c. This has always been a hazard since Perl allows a platform-specific choice to define bool as int rather than char, but evidently this didn't happen on any platform we support ... until OS X 10.5. Per report from Brandon Maust. Back-patch as far as 8.0 --- a bit arbitrary, but it seems unlikely anyone will be trying to port 7.x onto new platforms. | 22 November 2007, 17:47:40 UTC |
| 9275f2d | Teodor Sigaev | 16 November 2007, 17:09:15 UTC | Backpatch: Fix tsvector_out() and tsquery_out() to escape backslesh, add test of that. Patch by Bruce Momjian <bruce@momjian.us> | 16 November 2007, 17:09:15 UTC |
| 011e0ef | Tom Lane | 15 November 2007, 21:21:26 UTC | Update timezone data files to release 2007i of the zic database. | 15 November 2007, 21:21:26 UTC |
| 0b33e20 | Joe Conway | 10 November 2007, 05:01:50 UTC | Have crosstab variants treat NULL rowid as a category in its own right, per suggestion from Tom Lane. This fixes crash-bug reported by Stefan Schwarzer. | 10 November 2007, 05:01:50 UTC |
| 8d31b6d | Tom Lane | 09 November 2007, 20:10:20 UTC | Second pass at improving LIKE/regex estimation in non-C locales. It turns out that it's actually quite likely that a string that is an extension of the given prefix will sort as larger than the "greater" string our previous code created. To provide some defense against that, do the comparisons against a modified string instead of just the bare prefix. We tack on "Z", "z", "y", or "9", whichever is seen as largest in the current locale. Testing suggests that this is sufficient at least for cases involving ASCII data. | 09 November 2007, 20:10:20 UTC |
| b4b939e | Tom Lane | 08 November 2007, 23:23:07 UTC | If an index depends on no columns of its table, give it a dependency on the whole table instead, to ensure that it goes away when the table is dropped. Per bug #3723 from Sam Mason. Backpatch as far as 7.4; AFAICT 7.3 does not have the issue, because it doesn't have general-purpose expression indexes and so there must be at least one column referenced by an index. | 08 November 2007, 23:23:07 UTC |
| e4a46db | Tom Lane | 07 November 2007, 22:37:43 UTC | Improve the performance of LIKE/regex estimation in non-C locales, by making make_greater_string() try harder to generate a string that's actually greater than its input string. Before we just assumed that making a string that was memcmp-greater was enough, but it is easy to generate examples where this is not so when the locale is not C. Instead, loop until the relevant comparison function agrees that the generated string is greater than the input. Unfortunately this is probably not enough to guarantee that the generated string is greater than all extensions of the input, so we cannot relax the restriction to C locale for the LIKE/regex index optimization. But it should at least improve the odds of getting a useful selectivity estimate in prefix_selectivity(). Per example from Guillaume Smet. Backpatch to 8.1, mainly because that's what the complainant is using... | 07 November 2007, 22:37:43 UTC |
| 6073598 | Michael Meskes | 06 November 2007, 08:32:57 UTC | Fixed two parser bugs. | 06 November 2007, 08:32:57 UTC |
| 56ac701 | Tom Lane | 28 October 2007, 19:08:16 UTC | Fix a couple of issues with pg_dump's handling of inheritance child tables that have default expressions different from their parent. First, if the parent table's default expression has to be split out as a separate ALTER TABLE command, we need a dependency constraint to ensure that the child's command is given second. This is because the ALTER TABLE on the parent will propagate to the child. (We can't prevent that by using ONLY on the parent's command, since it's possible that other children exist that should receive the inherited default.) Second, if the child has a NULL default where the parent does not, we have to explicitly say DEFAULT NULL on the child in order for this state to be preserved after reload. (The latter actually doesn't work right because of a backend bug, but that is a separate issue.) Backpatch as far as 8.0. 7.x pg_dump has enough issues with altered tables (due to lack of dependency analysis) that trying to fix this one doesn't seem very productive. | 28 October 2007, 19:08:16 UTC |
| 5808e2b | Tom Lane | 13 October 2007, 15:55:58 UTC | Fix ALTER COLUMN TYPE to preserve the tablespace and reloptions of indexes it affects. The original coding neglected tablespace entirely (causing the indexes to move to the database's default tablespace) and for an index belonging to a UNIQUE or PRIMARY KEY constraint, it would actually try to assign the parent table's reloptions to the index :-(. Per bug #3672 and subsequent investigation. 8.0 and 8.1 did not have reloptions, but the tablespace bug is present. | 13 October 2007, 15:55:58 UTC |
| fbe5dc4 | Tom Lane | 11 October 2007, 21:28:12 UTC | Ensure that the result of evaluating a function during constant-expression simplification gets detoasted before it is incorporated into a Const node. Otherwise, if an immutable function were to return a TOAST pointer (an unlikely case, but it can be made to happen), we would end up with a plan that depends on the continued existence of the out-of-line toast datum. | 11 October 2007, 21:28:12 UTC |
| 9310b2e | Magnus Hagander | 09 October 2007, 15:03:30 UTC | Don't try to free pgpassfile since it's a stack variable. Martin Pitt | 09 October 2007, 15:03:30 UTC |
| 56ae9c9 | Tom Lane | 04 October 2007, 20:45:02 UTC | Keep the planner from failing on "WHERE false AND something IN (SELECT ...)". eval_const_expressions simplifies this to just "WHERE false", but we have already done pull_up_IN_clauses so the IN join will be done, or at least planned, anyway. The trouble case comes when the sub-SELECT is itself a join and we decide to implement the IN by unique-ifying the sub-SELECT outputs: with no remaining reference to the output Vars in WHERE, we won't have propagated the Vars up to the upper join point, leading to "variable not found in subplan target lists" error. Fix by adding an extra scan of in_info_list and forcing all Vars mentioned therein to be propagated up to the IN join point. Per bug report from Miroslav Sulc. | 04 October 2007, 20:45:02 UTC |
| bc0179e | Tom Lane | 04 October 2007, 19:07:14 UTC | Update timezone data files to release 2007h of the zic database. Might as well have the latest when we wrap 8.3beta1. | 04 October 2007, 19:07:14 UTC |
| d218e23 | Tom Lane | 29 September 2007, 15:50:07 UTC | Defend against openssl libraries that fail on keys longer than 128 bits; which is the case at least on some Solaris versions. Marko Kreen | 29 September 2007, 15:50:07 UTC |
| 9618af7 | Tom Lane | 29 September 2007, 01:36:29 UTC | Make archive recovery always start a new timeline, rather than only when a recovery stop time was used. This avoids a corner-case risk of trying to overwrite an existing archived copy of the last WAL segment, and seems simpler and cleaner all around than the original definition. Per example from Jon Colverson and subsequent analysis by Simon. | 29 September 2007, 01:36:29 UTC |
| bc16ca2 | Teodor Sigaev | 26 September 2007, 10:30:53 UTC | Fix crash of to_tsvector() function on huge input: compareWORD() function didn't return correct result for word position greate than limit. Per report from Stuart Bishop <stuart@stuartbishop.net> | 26 September 2007, 10:30:53 UTC |
| 9e439d9 | Alvaro Herrera | 24 September 2007, 03:53:06 UTC | Reduce the size of memory allocations by lazy vacuum when processing a small table, by allocating just enough for a hardcoded number of dead tuples per page. The current estimate is 200 dead tuples per page. Per reports from Jeff Amiel, Erik Jones and Marko Kreen, and subsequent discussion. CVS: ---------------------------------------------------------------------- CVS: Enter Log. Lines beginning with `CVS:' are removed automatically CVS: CVS: Committing in . CVS: CVS: Modified Files: CVS: commands/vacuumlazy.c CVS: ---------------------------------------------------------------------- | 24 September 2007, 03:53:06 UTC |
| 4de99f8 | Tom Lane | 22 September 2007, 05:36:00 UTC | Fix bogus calculation of potential output string length in translate(). | 22 September 2007, 05:36:00 UTC |
| ac5091b | Tom Lane | 16 September 2007, 15:56:39 UTC | Fix overflow in extract(epoch from interval) for intervals exceeding 68 years. Seems to have been introduced in 8.1 by careless SECS_PER_DAY search-and-replace. | 16 September 2007, 15:56:39 UTC |
| 1498c45 | Tom Lane | 16 September 2007, 03:03:27 UTC | Update release notes for last-minute fix. | 16 September 2007, 03:03:27 UTC |
| be70626 | Tom Lane | 16 September 2007, 02:38:02 UTC | Fix aboriginal mistake in lazy VACUUM's code for truncating away no-longer-needed pages at the end of a table. We thought we could throw away pages containing HEAPTUPLE_DEAD tuples; but this is not so, because such tuples very likely have index entries pointing at them, and we wouldn't have removed the index entries. The problem only emerges in a somewhat unlikely race condition: the dead tuples have to have been inserted by a transaction that later aborted, and this has to have happened between VACUUM's initial scan of the page and then rechecking it for empty in count_nondeletable_pages. But that timespan will include an index-cleaning pass, so it's not all that hard to hit. This seems to explain a couple of previously unsolved bug reports. | 16 September 2007, 02:38:02 UTC |
| cf45f1f | Marc G. Fournier | 14 September 2007, 20:23:46 UTC | update configure for 8.1.10 | 14 September 2007, 20:23:46 UTC |
| b061801 | Tom Lane | 14 September 2007, 16:08:33 UTC | Fix markup that doesn't work in back branches. | 14 September 2007, 16:08:33 UTC |
| 0fcc022 | Tom Lane | 14 September 2007, 15:51:18 UTC | Minor editorialization on release notes. | 14 September 2007, 15:51:18 UTC |
| eae9062 | Peter Eisentraut | 13 September 2007, 21:10:01 UTC | Translation updates | 13 September 2007, 21:10:01 UTC |
| 07c8226 | Alvaro Herrera | 12 September 2007, 20:21:23 UTC | Make REINDEX DATABASE silently skip remote temp tables. Per report from bitsandbytes88 <at> hotmail.com and subsequent discussion. This is a back patch of a patch committed yesterday to CLUSTER and REINDEX. REINDEX only processes user indexes as of 8.1, so we needn't backpatch this any further. (CLUSTER was backpatched separately all the way back to 7.4). | 12 September 2007, 20:21:23 UTC |
| 57dcb0f | Alvaro Herrera | 12 September 2007, 15:16:20 UTC | Fix the database-wide version of CLUSTER to silently skip temp tables of remote sessions, instead of erroring out in the middle of the operation. This is a backpatch of a previous fix applied to CLUSTER to HEAD and 8.2, all the way back that it is relevant to. | 12 September 2007, 15:16:20 UTC |
| 073164b | Alvaro Herrera | 12 September 2007, 02:05:55 UTC | Add a CHECK_FOR_INTERRUPTS call in the site where the vacuum delay point was removed. | 12 September 2007, 02:05:55 UTC |
| 459b26f | Tom Lane | 11 September 2007, 17:43:45 UTC | Sync timezone data with 2007g zic release. | 11 September 2007, 17:43:45 UTC |
| 1116c0d | Bruce Momjian | 11 September 2007, 17:37:08 UTC | Stamp releases 8.2.5, 8.1.10, 8.0.14, 7.4.18, 7.3.20. Update FAQs for 8.2.5. | 11 September 2007, 17:37:08 UTC |
| 07403e6 | Bruce Momjian | 11 September 2007, 17:19:36 UTC | Stamp | 11 September 2007, 17:19:36 UTC |
| 4603c29 | Tom Lane | 11 September 2007, 17:15:48 UTC | Make sure that open hash table scans are cleaned up when bgwriter tries to recover from elog(ERROR). Problem was created by introduction of hash seq search tracking awhile back, and affects all branches that have bgwriter; in HEAD the disease has snuck into autovacuum and walwriter too. (Not sure that the latter two use hash_seq_search at the moment, but surely they might someday.) Per report from Sergey Koposov. | 11 September 2007, 17:15:48 UTC |
| 8605cfa | Teodor Sigaev | 11 September 2007, 13:06:28 UTC | Fix header's size of structs defines in ispell. | 11 September 2007, 13:06:28 UTC |
| e52f4ec | Alvaro Herrera | 10 September 2007, 17:58:56 UTC | Remove the vacuum_delay_point call in count_nondeletable_pages, because we hold an exclusive lock on the table at this point, which we want to release as soon as possible. This is called in the phase of lazy vacuum where we truncate the empty pages at the end of the table. An alternative solution would be to lower the vacuum delay settings before starting the truncating phase, but this doesn't work very well in autovacuum due to the autobalancing code (which can cause other processes to change our cost delay settings). This case could be considered in the balancing code, but it is simpler this way. | 10 September 2007, 17:58:56 UTC |
| 0156593 | Teodor Sigaev | 07 September 2007, 17:19:52 UTC | Improve page split in rtree emulation. Now if splitted result has big misalignement, then it tries to split page basing on distribution of boxe's centers. Per report from Dolafi, Tom <dolafit@janelia.hhmi.org> | 07 September 2007, 17:19:52 UTC |
| c06e5bb | Tom Lane | 29 August 2007, 16:31:51 UTC | Fix aboriginal bug in _tarAddFile(): when complaining that the amount of data read from the temp file didn't match the file length reported by ftello(), the wrong variable's value was printed, and so the message made no sense. Clean up a couple other coding infelicities while at it. | 29 August 2007, 16:31:51 UTC |
| 2169ad2 | Michael Meskes | 29 August 2007, 13:58:51 UTC | Fixed bug in Informix define handling. | 29 August 2007, 13:58:51 UTC |
| d7e1fa4 | Tom Lane | 25 August 2007, 19:08:31 UTC | Fix brain fade in DefineIndex(): it was continuing to access the table's relcache entry after having heap_close'd it. This could lead to misbehavior if a relcache flush wiped out the cache entry meanwhile. In 8.2 there is a very real risk of CREATE INDEX CONCURRENTLY using the wrong relid for locking and waiting purposes. I think the bug is only cosmetic in 8.0 and 8.1, because their transgression is limited to using RelationGetRelationName(rel) in an ereport message immediately after heap_close, and there's no way (except with special debugging options) for a cache flush to occur in that interval. Not quite sure that it's cosmetic in 7.4, but seems best to patch anyway. Found by trying to run the regression tests with CLOBBER_CACHE_ALWAYS enabled. Maybe we should try to do that on a regular basis --- it's awfully slow, but perhaps some fast buildfarm machine could do it once in awhile. | 25 August 2007, 19:08:31 UTC |
| d68b669 | Tom Lane | 23 August 2007, 16:16:05 UTC | Fix combo_decrypt() to throw an error for zero-length input when using a padded encryption scheme. Formerly it would try to access res[(unsigned) -1], which resulted in core dumps on 64-bit machines, and was certainly trouble waiting to happen on 32-bit machines (though in at least the known case it was harmless because that byte would be overwritten after return). Per report from Ken Colson; fix by Marko Kreen. | 23 August 2007, 16:16:05 UTC |
| bbb7e05 | Tom Lane | 21 August 2007, 02:40:18 UTC | Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the byte after the last full byte of the bit array, regardless of whether that byte was part of the valid data or not. Found by buildfarm testing. Thanks to Stefan Kaltenbrunner for nailing down the cause. | 21 August 2007, 02:40:18 UTC |
| d8cb539 | Tom Lane | 15 August 2007, 19:16:04 UTC | Repair problems occurring when multiple RI updates have to be done to the same row within one query: we were firing check triggers before all the updates were done, leading to bogus failures. Fix by making the triggers queued by an RI update go at the end of the outer query's trigger event list, thereby effectively making the processing "breadth-first". This was indeed how it worked pre-8.0, so the bug does not occur in the 7.x branches. Per report from Pavel Stehule. | 15 August 2007, 19:16:04 UTC |
| 1de589b | Neil Conway | 08 August 2007, 18:07:02 UTC | Fix a gradual memory leak in ExecReScanAgg(). Because the aggregation hash table is allocated in a child context of the agg node's memory context, MemoryContextReset() will reset but *not* delete the child context. Since ExecReScanAgg() proceeds to build a new hash table from scratch (in a new sub-context), this results in leaking the header for the previous memory context. Therefore, use MemoryContextResetAndDeleteChildren() instead. Credit: My colleague Sailesh Krishnamurthy at Truviso for isolating the cause of the leak. | 08 August 2007, 18:07:02 UTC |
| 6d1607d | Tom Lane | 06 August 2007, 01:38:32 UTC | Fix pg_restore to guard against unexpected EOF while reading an archive file. Per report and partial patch from Chad Wagner. | 06 August 2007, 01:38:32 UTC |
| f99e72f | Tom Lane | 04 August 2007, 01:42:34 UTC | Suppress time zone name (%Z) when logging timestamps in xlog.c startup on Windows. This is yet another manifestation of the problem that Windows returns time zone names that may be in a different encoding than we are using. I've put a better solution in HEAD, but the back branches need a simple patch. Per report from Hiroshi Saito. | 04 August 2007, 01:42:34 UTC |
| 6c77d7d | Andrew Dunstan | 02 August 2007, 23:18:47 UTC | Make sure syslogPipe runs in binary mode on Windows to avoid corrupting the pipe chunking protocol. Backport to 8.0 | 02 August 2007, 23:18:47 UTC |
| cbf8f82 | Neil Conway | 02 August 2007, 17:48:57 UTC | Fix a memory leak in tuplestore_end(). Unlikely to be significant during normal operation, but tuplestore_end() ought to do what it claims to do. | 02 August 2007, 17:48:57 UTC |
| 4e95795 | Tom Lane | 31 July 2007, 19:54:01 UTC | Fix a bug in the original implementation of redundant-join-clause removal: clauses in which one side or the other references both sides of the join cannot be removed as redundant, because that expression won't have been constrained below the join. Per report from Sergey Burladyan. | 31 July 2007, 19:54:01 UTC |
| bfe4f48 | Tom Lane | 31 July 2007, 15:50:01 UTC | Fix security definer functions with polymorphic arguments. This case has never worked because fmgr_security_definer() neglected to pass the fn_expr information through. Per report from Viatcheslav Kalinin. | 31 July 2007, 15:50:01 UTC |
| b25d3e4 | Magnus Hagander | 23 July 2007, 18:13:02 UTC | The correct min buffer size is INITIAL_EXPBUFFER_SIZE, not PQERRORMSG_LENGTH. Backpatch only, the proper fix in HEAD is to use PQExpBuffers everywhere. | 23 July 2007, 18:13:02 UTC |
| 987b066 | Tom Lane | 21 July 2007, 22:12:17 UTC | Fix elog.c to avoid infinite recursion (leading to backend crash) when log_min_error_statement is active and there is some problem in logging the current query string; for example, that it's too long to include in the log message without running out of memory. This problem has existed since the log_min_error_statement feature was introduced. No doubt the reason it wasn't detected long ago is that 8.2 is the first release that defaults log_min_error_statement to less than PANIC level. Per report from Bill Moran. | 21 July 2007, 22:12:17 UTC |
| 6d8afde | Tom Lane | 20 July 2007, 16:30:05 UTC | Fix WAL replay of truncate operations to cope with the possibility that the truncated relation was deleted later in the WAL sequence. Since replay normally auto-creates a relation upon its first reference by a WAL log entry, failure is seen only if the truncate entry happens to be the first reference after the checkpoint we're restarting from; which is a pretty unusual case but of course not impossible. Fix by making truncate entries auto-create like the other ones do. Per report and test case from Dharmendra Goyal. | 20 July 2007, 16:30:05 UTC |
| a0b2bb8 | Tom Lane | 19 July 2007, 20:34:34 UTC | Make replace(), split_part(), and string_to_array() behave somewhat sanely when handed an invalidly-encoded pattern. The previous coding could get into an infinite loop if pg_mb2wchar_with_len() returned a zero-length string after we'd tested for nonempty pattern; which is exactly what it will do if the string consists only of an incomplete multibyte character. This led to either an out-of-memory error or a backend crash depending on platform. Per report from Wiktor Wodecki. | 19 July 2007, 20:34:34 UTC |
| fbbc0f0 | Andrew Dunstan | 19 July 2007, 19:14:54 UTC | Only use the pipe chunking protocol if we know the syslogger should be catching stderr output, and we are not ourselves the syslogger. Otherwise, go directly to stderr. Bug noticed by Tom Lane. Backpatch as far as 8.0. | 19 July 2007, 19:14:54 UTC |
| 429870e | Tom Lane | 18 July 2007, 21:41:22 UTC | Fix an old thinko in SS_make_initplan_from_plan, which is used when optimizing a MIN or MAX aggregate call into an indexscan: the initplan is being made at the current query nesting level and so we shouldn't increment query_level. Though usually harmless, this mistake could lead to bogus "plan should not reference subplan's variable" failures on complex queries. Per bug report from David Sanchez i Gregori. | 18 July 2007, 21:41:22 UTC |
| b1def73 | Tom Lane | 17 July 2007, 17:45:48 UTC | Fix incorrect optimization of foreign-key checks. When an UPDATE on the referencing table does not change the tuple's FK column(s), we don't bother to check the PK table since the constraint was presumably already valid. However, the check is still necessary if the tuple was inserted by our own transaction, since in that case the INSERT trigger will conclude it need not make the check (since its version of the tuple has been deleted). We got this right for simple cases, but not when the insert and update are in different subtransactions of the current top-level transaction; in such cases the FK check would never be made at all. (Hence, problem dates back to 8.0 when subtransactions were added --- it's actually the subtransaction version of a bug fixed in 7.3.5.) Fix, and add regression test cases. Report and fix by Affan Salman. | 17 July 2007, 17:45:48 UTC |
| 0f254ea | Tom Lane | 17 July 2007, 01:22:03 UTC | Fix outfuncs.c to dump A_Const nodes representing NULLs correctly. This has been broken since forever, but was not noticed because people seldom look at raw parse trees. AFAIK, no impact on users except that debug_print_parse might fail; but patch it all the way back anyway. Per report from Jeff Ross. | 17 July 2007, 01:22:03 UTC |
| 7ff65db | Joe Conway | 09 July 2007, 01:32:44 UTC | Restrict non-superusers to password authenticated connections to prevent possible escalation of privilege. Provide new SECURITY DEFINER functions with old behavior, but initially REVOKE ALL from public for these functions. Per list discussion and design proposed by Tom Lane. | 09 July 2007, 01:32:44 UTC |
| 4ceaf35 | Tom Lane | 08 July 2007, 22:23:32 UTC | Remove the pgstat_drop_relation() call from smgr_internal_unlink(), because we don't know at that point which relation OID to tell pgstat to forget. The code was passing the relfilenode, which is incorrect, and could possibly cause some other relation's stats to be zeroed out. While we could try to clean this up, it seems much simpler and more reliable to let the next invocation of pgstat_vacuum_tabstat() fix things; which indeed is how it worked before I introduced the buggy code into 8.1.3 and later :-(. Problem noticed by Itagaki Takahiro, fix is per subsequent discussion. | 08 July 2007, 22:23:32 UTC |
| 5d798ba | Tom Lane | 02 July 2007, 20:12:05 UTC | Fix failure to restart Postgres when Linux kernel returns EIDRM for shmctl(). This is a Linux kernel bug that apparently exists in every extant kernel version: sometimes shmctl() will fail with EIDRM when EINVAL is correct. We were assuming that EIDRM indicates a possible conflict with pre-existing backends, and refusing to start the postmaster when this happens. Fortunately, there does not seem to be any case where Linux can legitimately return EIDRM (it doesn't track shmem segments in a way that would allow that), so we can get away with just assuming that EIDRM means EINVAL on this platform. Per reports from Michael Fuhr and Jon Lapham --- it's a bit surprising we have not seen more reports, actually. | 02 July 2007, 20:12:05 UTC |
| 2fc2402 | Tom Lane | 29 June 2007, 01:51:56 UTC | Fix a passel of ancient bugs in to_char(), including two distinct buffer overruns (neither of which seem likely to be exploitable as security holes, fortunately, since the provoker can't control the data written). One of these is due to choosing to stomp on the output of a called function, which is bad news in any case; make it treat the called functions' results as read-only. Avoid some unnecessary palloc/pfree traffic too; it's not really helpful to free small temporary objects, and again this is presuming more than it ought to about the nature of the results of called functions. Per report from Patrick Welche and additional code-reading by Imad. | 29 June 2007, 01:51:56 UTC |
| ed368c1 | Tom Lane | 28 June 2007, 17:50:17 UTC | Fix incorrect tests for undef Perl values in some places in plperl.c. The correct test for defined-ness is SvOK(sv), not anything involving SvTYPE. Per bug #3415 from Matt Taylor. Back-patch as far as 8.0; no apparent problem in 7.x. | 28 June 2007, 17:50:17 UTC |
| 12b9a64 | Tom Lane | 20 June 2007, 18:21:15 UTC | transformColumnDefinition failed to complain about create table foo (bar int default null default 3); due to not thinking about the special-case handling of DEFAULT NULL. Problem noticed while investigating bug #3396. | 20 June 2007, 18:21:15 UTC |
| f5bfaf9 | Tom Lane | 20 June 2007, 18:16:04 UTC | CREATE DOMAIN ... DEFAULT NULL failed because gram.y special-cases DEFAULT NULL and DefineDomain didn't. Bug goes all the way back to original coding of domains. Per bug #3396 from Sergey Burladyan. | 20 June 2007, 18:16:04 UTC |
| 838e286 | Tom Lane | 18 June 2007, 01:14:08 UTC | Back-patch 8.2 fix that complains if trying to extend a relation encounters a buffer containing a non-zeroed page. This seems appropriate now that the 8.2 fix has been seen to save at least one user from data loss due to a buggy kernel (per report from Jaime Silvela 7-May-07). I'd go further back than 8.1, except that the 8.0-to-8.1 bufmgr changes are large enough that the patch doesn't work immediately; I'm hesitant to make a change without more extensive analysis than I have time for now. | 18 June 2007, 01:14:08 UTC |
| 7cf20db | Alvaro Herrera | 14 June 2007, 13:54:40 UTC | Avoid having autovacuum run multiple ANALYZE commands in a single transaction, to prevent possible deadlock problems. Per request from Tom Lane. | 14 June 2007, 13:54:40 UTC |
| 1103beb | Andrew Dunstan | 14 June 2007, 01:50:14 UTC | Implement a chunking protocol for writes to the syslogger pipe, with messages reassembled in the syslogger before writing to the log file. This prevents partial messages from being written, which mucks up log rotation, and messages from different backends being interleaved, which causes garbled logs. Backport as far as 8.0, where the syslogger was introduced. Tom Lane and Andrew Dunstan | 14 June 2007, 01:50:14 UTC |
| 09bb362 | Tom Lane | 09 June 2007, 15:52:47 UTC | Allow numeric_fac() to be interrupted, since it can take quite a while for large inputs. Also cause it to error out immediately if the result will overflow, instead of grinding through a lot of calculation first. Per gripe from Jim Nasby. | 09 June 2007, 15:52:47 UTC |
| bac7d7b | Alvaro Herrera | 07 June 2007, 19:07:11 UTC | Avoid losing track of data for shared tables in pgstats. Report by Michael Fuhr, patch from Tom Lane after a messier suggestion by me. | 07 June 2007, 19:07:11 UTC |
| 5e25d43 | Tom Lane | 07 June 2007, 14:50:07 UTC | Fix array_dims() example to be consistent with the data previously shown. Christian Rossow | 07 June 2007, 14:50:07 UTC |
| 86c68fd | Magnus Hagander | 04 June 2007, 13:48:29 UTC | Oops. Patch didn't work properly for 8.1, so don't backpatch a then-unused variable either. | 04 June 2007, 13:48:29 UTC |
| ca82953 | Magnus Hagander | 04 June 2007, 13:39:34 UTC | On win32, retry reading when WSARecv returns WSAEWOULDBLOCK. There seem to be cases when at least Windows 2000 can do this even though select just indicated that the socket is readable. Per report and analysis from Cyril VELTER. | 04 June 2007, 13:39:34 UTC |
| cec960f | Magnus Hagander | 04 June 2007, 11:59:34 UTC | On win32, don't use SO_REUSEADDR for TCP sockets. Per failure on buildfarm member baiji and subsequent discussion. | 04 June 2007, 11:59:34 UTC |
| 2791837 | Tom Lane | 02 June 2007, 16:41:23 UTC | Fix erroneous error reporting for overlength input in text_date(), text_time(), and text_timetz(). 7.4-vintage bug found by Greg Stark. | 02 June 2007, 16:41:23 UTC |
| dc9b57f | Tom Lane | 01 June 2007, 23:43:23 UTC | Fix aboriginal bug in BufFileDumpBuffer that would cause it to write the wrong data when dumping a bufferload that crosses a component-file boundary. This probably has not been seen in the wild because (a) component files are normally 1GB apiece and (b) non-block-aligned buffer usage is relatively rare. But it's fairly easy to reproduce a problem if one reduces RELSEG_SIZE in a test build. Kudos to Kurt Harriman for spotting the bug. | 01 June 2007, 23:43:23 UTC |
| 38bbcb3 | Tom Lane | 01 June 2007, 15:58:09 UTC | Fix performance problems in multi-batch hash joins by ensuring that we select a well-randomized batch number even when given a poorly-randomized hash value. This is a bit inefficient but seems the only practical solution given the constraint that we can't change the hash functions in released branches. Per report from Joseph Shraibman. Applied to 8.1 and 8.2 only --- HEAD is getting a cleaner fix, and 8.0 and before use different coding that seems less vulnerable. | 01 June 2007, 15:58:09 UTC |
| 4c2158b | Tom Lane | 30 May 2007, 21:01:53 UTC | Fix overly-strict sanity check in BeginInternalSubTransaction that made it fail when used in a deferred trigger. Bug goes back to 8.0; no doubt the reason it hadn't been noticed is that we've been discouraging use of user-defined constraint triggers. Per report from Frank van Vugt. | 30 May 2007, 21:01:53 UTC |
| 21b8d51 | Neil Conway | 29 May 2007, 04:59:44 UTC | Fix a bug in input processing for the "interval" type. Previously, "microsecond" and "millisecond" units were not considered valid input by themselves, which caused inputs like "1 millisecond" to be rejected erroneously. Update the docs, add regression tests, and backport to 8.2 and 8.1 | 29 May 2007, 04:59:44 UTC |
| 9ccf784 | Tom Lane | 22 May 2007, 01:40:53 UTC | Fix best_inner_indexscan to return both the cheapest-total-cost and cheapest-startup-cost innerjoin indexscans, and make joinpath.c consider both of these (when different) as the inside of a nestloop join. The original design was based on the assumption that indexscan paths always have negligible startup cost, and so total cost is the only important figure of merit; an assumption that's obviously broken by bitmap indexscans. This oversight could lead to choosing poor plans in cases where fast-start behavior is more important than total cost, such as LIMIT and IN queries. 8.1-vintage brain fade exposed by an example from Chuck D. | 22 May 2007, 01:40:53 UTC |
| 3c49269 | Peter Eisentraut | 21 May 2007, 15:09:46 UTC | Fix spurious German index entry | 21 May 2007, 15:09:46 UTC |
| 7b5d257 | Michael Meskes | 21 May 2007, 14:57:16 UTC | Removed errant ISODOW | 21 May 2007, 14:57:16 UTC |
| 2876717 | Michael Meskes | 21 May 2007, 07:12:51 UTC | Backported fix from HEAD that removes superfluous function Vista has a problem with | 21 May 2007, 07:12:51 UTC |
| 2df0eb1 | Tom Lane | 18 May 2007, 01:20:33 UTC | Remove redundant logging of send failures when SSL is in use. While pqcomm.c had been taught not to do that ages ago, the SSL code was helpfully bleating anyway. Resolves some recent reports such as bug #3266; however the underlying cause of the related bug #2829 is still unclear. | 18 May 2007, 01:20:33 UTC |
| cac0d69 | Alvaro Herrera | 15 May 2007, 20:20:29 UTC | Avoid emitting empty role names in the GRANTED BY clause of GRANT ROLE when the grantor has been dropped. This is a workaround for the fact that we don't track the grantor as a shared dependency. | 15 May 2007, 20:20:29 UTC |
| 6a94e76 | Magnus Hagander | 13 May 2007, 16:04:35 UTC | Document that CLUSTER breaks MVCC visibility rules. (Not needed in cvs head, because CLUSTER itself is fixed there) Heikki Linnakangas | 13 May 2007, 16:04:35 UTC |
