Skip to main content

Browse the archive

https://github.com/postgres/postgres
07 April 2024, 13:56:23 UTC
sort by:
Revision Author Date Message Commit Date
d6d7926 Marc G. Fournier 01 October 2010, 13:37:59 UTC Tag 8.1.22 01 October 2010, 13:37:59 UTC
329d755 Tom Lane 30 September 2010, 21:21:59 UTC Use a separate interpreter for each calling SQL userid in plperl and pltcl. There are numerous methods by which a Perl or Tcl function can subvert the behavior of another such function executed later; for example, by redefining standard functions or operators called by the target function. If the target function is SECURITY DEFINER, or is called by such a function, this means that any ordinary SQL user with Perl or Tcl language usage rights can do essentially anything with the privileges of the target function's owner. To close this security hole, create a separate Perl or Tcl interpreter for each SQL userid under which plperl or pltcl functions are executed within a session. However, all plperlu or pltclu functions run within a session still share a single interpreter, since they all execute at the trust level of a database superuser anyway. Note: this change results in a functionality loss when libperl has been built without the "multiplicity" option: it's no longer possible to call plperl functions under different userids in one session, since such a libperl can't support multiple interpreters in one process. However, such a libperl already failed to support concurrent use of plperl and plperlu, so it's likely that few people use such versions with Postgres. Security: CVE-2010-3433 30 September 2010, 21:21:59 UTC
51b69ef Peter Eisentraut 30 September 2010, 19:15:37 UTC Translation updates for 8.1.22 30 September 2010, 19:15:37 UTC
10fbaf0 Tom Lane 30 September 2010, 18:27:51 UTC Update release notes for releases 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22, 8.0.26, and 7.4.30. 30 September 2010, 18:27:51 UTC
3c2da80 Tom Lane 25 September 2010, 19:57:05 UTC Further fixes to the pg_get_expr() security fix in back branches. It now emerges that the JDBC driver expects to be able to use pg_get_expr() on an output of a sub-SELECT. So extend the check logic to be able to recurse into a sub-SELECT to see if the argument is ultimately coming from an appropriate column. Per report from Thomas Kellerer. 25 September 2010, 20:39:44 UTC
5efa144 Tom Lane 24 September 2010, 17:48:37 UTC Still more .gitignore cleanup. Fix overly-enthusiastic ignores, as identified by git ls-files -i --exclude-standard 24 September 2010, 17:48:37 UTC
cf497cb Robert Haas 24 September 2010, 02:00:26 UTC Add contrib/xml2/pgxml.sql to .gitignore Kevin Grittner 24 September 2010, 02:08:30 UTC
511449d Tom Lane 23 September 2010, 20:53:42 UTC Prevent show_session_authorization from crashing when session_authorization hasn't been set. The only known case where this can happen is when show_session_authorization is invoked in an autovacuum process, which is possible if an index function calls it, as for example in bug #5669 from Andrew Geery. We could perhaps try to return a sensible value, such as the name of the cluster-owning superuser; but that seems like much more trouble than the case is worth, and in any case it could create new possible failure modes. Simply returning an empty string seems like the most appropriate fix. Back-patch to all supported versions, even those before autovacuum, just in case there's another way to provoke this crash. 23 September 2010, 20:53:42 UTC
4e2e9f2 Tom Lane 23 September 2010, 02:32:54 UTC More fixes for libpq's .gitignore file. The previous patches failed to cover a lot of symlinks that are only added in platform-specific cases. Make the lists match what's in the Makefile for each branch. 23 September 2010, 02:32:54 UTC
7c192c9 Tom Lane 23 September 2010, 00:22:55 UTC Do some copy-editing on the Git usage docs. 23 September 2010, 00:22:55 UTC
2e75e70 Tom Lane 22 September 2010, 22:26:29 UTC Fix documentation gitignore for pre-9.0 doc build methods. 22 September 2010, 22:26:29 UTC
f02f7c4 Tom Lane 22 September 2010, 21:22:18 UTC Some more gitignore cleanups: cover contrib and PL regression test outputs. Also do some further work in the back branches, where quite a bit wasn't covered by Magnus' original back-patch. 22 September 2010, 21:22:18 UTC
706a580 Magnus Hagander 22 September 2010, 18:48:47 UTC Remove anonymous cvs instructions, and replace them with instructions for git. Change other references from cvs to git as well. 22 September 2010, 18:48:47 UTC
3fb50a7 Magnus Hagander 22 September 2010, 10:57:17 UTC Convert cvsignore to gitignore, and add .gitignore for build targets. 22 September 2010, 10:57:17 UTC
a17e0e1 Tom Lane 21 September 2010, 18:43:20 UTC Back-patch replacement of README.CVS with README.git. In older branches, also git-ify the "make distdir" rule. 21 September 2010, 18:43:20 UTC
deb8a22 Tom Lane 26 August 2010, 19:59:22 UTC Update time zone data files to tzdata release 2010l: DST law changes in Egypt and Palestine. Added new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape. Historical corrections for Finland. 26 August 2010, 19:59:22 UTC
c2c90a5 Tom Lane 26 August 2010, 18:55:12 UTC Fix ExecMakeTableFunctionResult to verify that all rows returned by a SRF returning "record" actually do have the same rowtype. This is needed because the parser can't realistically enforce that they will all have the same typmod, as seen in a recent example from David Wheeler. Back-patch to 8.0, which is as far back as we have the notion of RECORD subtypes being distinguished by typmod. Wheeler's example depends on 8.4-and-up features, but I suspect there may be ways to provoke similar failures before 8.4. 26 August 2010, 18:55:12 UTC
703cd9c Peter Eisentraut 25 August 2010, 19:37:34 UTC Catch null pointer returns from PyCObject_AsVoidPtr and PyCObject_FromVoidPtr This is reproducibly possible in Python 2.7 if the user turned PendingDeprecationWarning into an error, but it's theoretically also possible in earlier versions in case of exceptional conditions. backpatched to 8.0 25 August 2010, 19:37:34 UTC
e521b3e Tom Lane 16 August 2010, 17:33:17 UTC Arrange to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) when writing them. The lack of an fsync here may well explain two different reports we've seen of corrupted lockfile contents, which doesn't particularly bother the running server but can prevent a new server from starting if the old one crashes. Per suggestion from Alvaro. Back-patch to all supported versions. 16 August 2010, 17:33:17 UTC
7ded6d6 Tom Lane 16 August 2010, 00:06:48 UTC Fix psql's copy of utf2ucs() to match the backend's copy exactly; in particular, propagate a fix in the test to see whether a UTF8 character has length 4 bytes. This is likely of little real-world consequence because 5-or-more-byte UTF8 sequences are not supported by Postgres nor seen anywhere in the wild, but still we may as well get it right. Problem found by Joseph Adams. Bug is aboriginal, so back-patch all the way. 16 August 2010, 00:06:48 UTC
35f0dcc Robert Haas 11 August 2010, 19:04:03 UTC Fix one more incorrect errno definition in the ECPG manual. Again, back-patch all the way to 7.4. 11 August 2010, 19:04:03 UTC
19efe04 Robert Haas 11 August 2010, 18:52:52 UTC Fix incorrect errno definitions in ECPG manual. ecpgerrno.h hasn't materially changed since PostgreSQL 7.4, so this has been wrong for a very long time. Back-patch all the way. Satoshi Nagayasu 11 August 2010, 18:52:52 UTC
d0844a8 Tom Lane 09 August 2010, 18:50:54 UTC Fix incorrect logic in plpgsql for cleanup after evaluation of non-simple expressions. We need to deal with this when handling subscripts in an array assignment, and also when catching an exception. In an Assert-enabled build these omissions led to Assert failures, but I think in a normal build the only consequence would be short-term memory leakage; which may explain why this wasn't reported from the field long ago. Back-patch to all supported versions. 7.4 doesn't have exceptions, but otherwise these bugs go all the way back. Heikki Linnakangas and Tom Lane 09 August 2010, 18:50:54 UTC
2f7cd43 Tom Lane 30 July 2010, 17:57:18 UTC Improved version of patch to protect pg_get_expr() against misuse: look through join alias Vars to avoid breaking join queries, and move the test to someplace where it will catch more possible ways of calling a function. We still ought to throw away the whole thing in favor of a data-type-based solution, but that's not feasible in the back branches. Completion of back-port of my patch of yesterday. 30 July 2010, 17:57:18 UTC
9e468f9 Tom Lane 29 July 2010, 19:23:58 UTC Fix another longstanding problem in copy_relation_data: it was blithely assuming that a local char[] array would be aligned on at least a word boundary. There are architectures on which that is pretty much guaranteed to NOT be the case ... and those arches also don't like non-aligned memory accesses, meaning that log_newpage() would crash if it ever got invoked. Even on Intel-ish machines there's a potential for a large performance penalty from doing I/O to an inadequately aligned buffer. So palloc it instead. Backpatch to 8.0 --- 7.4 doesn't have this code. 29 July 2010, 19:23:58 UTC
76a106f Robert Haas 29 July 2010, 16:15:33 UTC Fix possible page corruption by ALTER TABLE .. SET TABLESPACE. If a zeroed page is present in the heap, ALTER TABLE .. SET TABLESPACE will set the LSN and TLI while copying it, which is wrong, and heap_xlog_newpage() will do the same thing during replay, so the corruption propagates to any standby. Note, however, that the bug can't be demonstrated unless archiving is enabled, since in that case we skip WAL logging altogether, and the LSN/TLI are not set. Back-patch to 8.0; prior releases do not have tablespaces. Analysis and patch by Jeff Davis. Adjustments for back-branches and minor wordsmithing by me. 29 July 2010, 16:15:33 UTC
7c294bf Tom Lane 28 July 2010, 04:51:27 UTC Fix potential failure when hashing the output of a subplan that produces a pass-by-reference datatype with a nontrivial projection step. We were using the same memory context for the projection operation as for the temporary context used by the hashtable routines in execGrouping.c. However, the hashtable routines feel free to reset their temp context at any time, which'd lead to destroying input data that was still needed. Report and diagnosis by Tao Ma. Back-patch to 8.1, where the problem was introduced by the changes that allowed us to work with "virtual" tuples instead of materializing intermediate tuple values everywhere. The earlier code looks quite similar, but it doesn't suffer the problem because the data gets copied into another context as a result of having to materialize ExecProject's output tuple. 28 July 2010, 04:51:27 UTC
003c598 Peter Eisentraut 27 July 2010, 18:55:01 UTC Spelling fix 27 July 2010, 18:55:01 UTC
f6d3301 Peter Eisentraut 26 July 2010, 20:30:07 UTC Fix grammar backpatched to 8.1 26 July 2010, 20:30:07 UTC
202c89c Robert Haas 23 July 2010, 00:43:44 UTC Avoid deep recursion when assigning XIDs to multiple levels of subxacts. Backpatch to 8.0. Andres Freund, with cleanup and adjustment for older branches by me. 23 July 2010, 00:43:44 UTC
b9ded24 Heikki Linnakangas 13 July 2010, 09:03:01 UTC Oops, in the previous fix to prevent a cursor that's being used in a FOR loop from being dropped, I missed subtransaction cleanup. Pinned portals must be dropped at subtransaction cleanup just as they are at main transaction cleanup. Per bug #5556 by Robert Walker. Backpatch to 8.0, 7.4 didn't have subtransactions. 13 July 2010, 09:03:01 UTC
dae1190 Tom Lane 09 July 2010, 22:58:12 UTC Avoid an Assert failure in deconstruct_array() by making get_attstatsslot() use the actual element type of the array it's disassembling, rather than trusting the type OID passed in by its caller. This is needed because sometimes the planner passes in a type OID that's only binary-compatible with the target column's type, rather than being an exact match. Per an example from Bernd Helmle. Possibly we should refactor get_attstatsslot/free_attstatsslot to not expect the caller to supply type ID data at all, but for now I'll just do the minimum-change fix. Back-patch to 7.4. Bernd's test case only crashes back to 8.0, but since these subroutines are the same in 7.4, I suspect there may be variant cases that would crash 7.4 as well. 09 July 2010, 22:58:12 UTC
accabac Tom Lane 08 July 2010, 00:14:28 UTC Fix "cannot handle unplanned sub-select" error that can occur when a sub-select contains a join alias reference that expands into an expression containing another sub-select. Per yesterday's report from Merlin Moncure and subsequent off-list investigation. Back-patch to 7.4. Older versions didn't attempt to flatten sub-selects in ways that would trigger this problem. 08 July 2010, 00:14:28 UTC
9654b60 Heikki Linnakangas 05 July 2010, 09:27:42 UTC The previous fix in CVS HEAD and 8.4 for handling the case where a cursor being used in a PL/pgSQL FOR loop is closed was inadequate, as Tom Lane pointed out. The bug affects FOR statement variants too, because you can close an implicitly created cursor too by guessing the "<unnamed portal X>" name created for it. To fix that, "pin" the portal to prevent it from being dropped while it's being used in a PL/pgSQL FOR loop. Backpatch all the way to 7.4 which is the oldest supported version. 05 July 2010, 09:27:42 UTC
4d242bb Tom Lane 03 July 2010, 04:03:33 UTC Fix assorted misstatements and poor wording in the descriptions of the I/O formats for geometric types. Per bug #5536 from Jon Strait, and my own testing. Back-patch to all supported branches, since this doco has been wrong right along -- we certainly haven't changed the I/O behavior of these types in many years. 03 July 2010, 04:03:33 UTC
b525073 Robert Haas 01 July 2010, 14:11:03 UTC Allow ALTER TABLE .. SET TABLESPACE to be interrupted. Backpatch to 8.0, where tablespaces were introduced. Guillaume Lelarge 01 July 2010, 14:11:03 UTC
2c0080a Heikki Linnakangas 30 June 2010, 18:11:19 UTC stringToNode() and deparse_expression_pretty() crash on invalid input, but we have nevertheless exposed them to users via pg_get_expr(). It would be too much maintenance effort to rigorously check the input, so put a hack in place instead to restrict pg_get_expr() so that the argument must come from one of the system catalog columns known to contain valid expressions. Per report from Rushabh Lathia. Backpatch to 7.4 which is the oldest supported version at the moment. 30 June 2010, 18:11:19 UTC
7577975 Tom Lane 15 June 2010, 19:04:45 UTC Fix dblink_build_sql_insert() and related functions to handle dropped columns correctly. In passing, get rid of some dead logic in the underlying get_sql_insert() etc functions --- there is no caller that will pass null value-arrays to them. Per bug report from Robert Voinea. 15 June 2010, 19:04:45 UTC
7a1d80b Tom Lane 15 June 2010, 16:22:45 UTC Consolidate and improve checking of key-column-attnum arguments for dblink_build_sql_insert() and related functions. In particular, be sure to reject references to dropped and out-of-range column numbers. The numbers are still interpreted as physical column numbers, though, for backward compatibility. This patch replaces Joe's patch of 2010-02-03, which handled only some aspects of the problem. 15 June 2010, 16:22:45 UTC
c797279 Tom Lane 14 June 2010, 20:49:57 UTC Rearrange dblink's dblink_build_sql_insert() and related routines to open and lock the target relation just once per SQL function call. The original coding obtained and released lock several times per call. Aside from saving a not-insignificant number of cycles, this eliminates possible race conditions if someone tries to modify the relation's schema concurrently. Also centralize locking and permission-checking logic. Problem noted while investigating a trouble report from Robert Voinea --- his problem is still to be fixed, though. 14 June 2010, 20:49:57 UTC
47cf87a Itagaki Takahiro 09 June 2010, 01:00:13 UTC Fix connection leak in dblink when dblink_connect() or dblink_connect_u() end with "duplicate connection name" errors. Backported to release 7.4. 09 June 2010, 01:00:13 UTC
ac14ba5 Itagaki Takahiro 03 June 2010, 09:44:35 UTC Fix dblink to treat connection names longer than NAMEDATALEN-2 (62 bytes). Now long names are adjusted with truncate_identifier() and NOTICE messages are raised if names are actually truncated. Backported to release 8.0. 03 June 2010, 09:44:35 UTC
dbfa55f Tom Lane 27 May 2010, 19:20:06 UTC Change ps_status.c to explicitly track the current logical length of ps_buffer. This saves cycles in get_ps_display() on many popular platforms, and more importantly ensures that get_ps_display() will correctly return an empty string if init_ps_display() hasn't been called yet. Per trouble report from Ray Stell, in which log_line_prefix %i produced junk early in backend startup. Back-patch to 8.0. 7.4 doesn't have %i and its version of get_ps_display() makes no pretense of avoiding pad junk anyhow. 27 May 2010, 19:20:06 UTC
b5285c1 Andrew Dunstan 17 May 2010, 20:46:20 UTC > Follow up a visit from the style police. 17 May 2010, 20:46:20 UTC
97d136f Robert Haas 16 May 2010, 03:56:03 UTC Fix longstanding typo in V1 calling conventions documentation. Erik Rijkers 16 May 2010, 03:56:03 UTC
7965fd5 Tom Lane 15 May 2010, 18:11:30 UTC Improve documentation of pg_restore's -l and -L switches to point out their interactions with filtering switches, such as -n and -t. Per a complaint from Russell Smith. 15 May 2010, 18:11:30 UTC
30017da Marc G. Fournier 14 May 2010, 03:35:26 UTC tag 8.1.21 14 May 2010, 03:35:26 UTC
6499118 Tom Lane 13 May 2010, 21:27:29 UTC Update release notes with security issues. Security: CVE-2010-1169, CVE-2010-1170 13 May 2010, 21:27:29 UTC
b67abe3 Tom Lane 13 May 2010, 19:16:38 UTC Use an entity instead of non-ASCII letter. Thom Brown 13 May 2010, 19:16:38 UTC
a921879 Tom Lane 13 May 2010, 18:29:37 UTC Prevent PL/Tcl from loading the "unknown" module from pltcl_modules unless that is a regular table or view owned by a superuser. This prevents a trojan horse attack whereby any unprivileged SQL user could create such a table and insert code into it that would then get executed in other users' sessions whenever they call pltcl functions. Worse yet, because the code was automatically loaded into both the "normal" and "safe" interpreters at first use, the attacker could execute unrestricted Tcl code in the "normal" interpreter without there being any pltclu functions anywhere, or indeed anyone else using pltcl at all: installing pltcl is sufficient to open the hole. Change the initialization logic so that the "unknown" code is only loaded into an interpreter when the interpreter is first really used. (That doesn't add any additional security in this particular context, but it seems a prudent change, and anyway the former behavior violated the principle of least astonishment.) Security: CVE-2010-1170 13 May 2010, 18:29:37 UTC
68e621b Andrew Dunstan 13 May 2010, 16:43:41 UTC Abandon the use of Perl's Safe.pm to enforce restrictions in plperl, as it is fundamentally insecure. Instead apply an opmask to the whole interpreter that imposes restrictions on unsafe operations. These restrictions are much harder to subvert than is Safe.pm, since there is no container to be broken out of. Backported to release 7.4. In releases 7.4, 8.0 and 8.1 this also includes the necessary backporting of the two interpreters model for plperl and plperlu adopted in release 8.2. In versions 8.0 and up, the use of Perl's POSIX module to undo its locale mangling on Windows has become insecure with these changes, so it is replaced by our own routine, which is also faster. Nice side effects of the changes include that it is now possible to use perl's "strict" pragma in a natural way in plperl, and that perl's $a and $b variables now work as expected in sort routines, and that function compilation is significantly faster. Tim Bunce and Andrew Dunstan, with reviews from Alex Hunsaker and Alexey Klyukin. Security: CVE-2010-1169 13 May 2010, 16:43:41 UTC
ffba89a Peter Eisentraut 13 May 2010, 07:22:03 UTC Translation update 13 May 2010, 07:22:03 UTC
a65beef Tom Lane 12 May 2010, 23:27:51 UTC Preliminary release notes for releases 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, 7.4.29. 12 May 2010, 23:27:51 UTC
68083ef Tom Lane 11 May 2010, 23:01:56 UTC Update time zone data files to tzdata release 2010j: DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia. Historical corrections for Taiwan. 11 May 2010, 23:01:56 UTC
7e84802 Tom Lane 08 May 2010, 16:40:38 UTC Work around a subtle portability problem in use of printf %s format. Depending on which spec you read, field widths and precisions in %s may be counted either in bytes or characters. Our code was assuming bytes, which is wrong at least for glibc's implementation, and in any case libc might have a different idea of the prevailing encoding than we do. Hence, for portable results we must avoid using anything more complex than just "%s" unless the string to be printed is known to be all-ASCII. This patch fixes the cases I could find, including the psql formatting failure reported by Hernan Gonzalez. In HEAD only, I also added comments to some places where it appears safe to continue using "%.*s". 08 May 2010, 16:40:38 UTC
ddcba86 Tom Lane 05 May 2010, 22:19:24 UTC Fix psql to not go into infinite recursion when expanding a variable that refers to itself (directly or indirectly). Instead, print a message when recursion is detected, and don't expand the repeated reference. Per bug #5448 from Francis Markham. Back-patch to 8.0. Although the issue exists in 7.4 as well, it seems impractical to fix there because of the lack of any state stack that could be used to track active expansions. 05 May 2010, 22:19:24 UTC
fbd2fbe Tom Lane 05 May 2010, 02:55:04 UTC Fix backpatching error in recent patch for ALTER USER f RESET ALL behavior. The argument list for array_set() changed in 8.2 (in connection with allowing nulls in arrays) but the newer argument list was used in the patches applied to 8.1 and 8.0 branches. The patch for 7.4 was OK though. Per compiler warnings. 05 May 2010, 02:55:04 UTC
6666e76 Tom Lane 01 May 2010, 22:47:00 UTC Add code to InternalIpcMemoryCreate() to handle the case where shmget() returns EINVAL for an existing shared memory segment. Although it's not terribly sensible, that behavior does meet the POSIX spec because EINVAL is the appropriate error code when the existing segment is smaller than the requested size, and the spec explicitly disclaims any particular ordering of error checks. Moreover, it does in fact happen on OS X and probably other BSD-derived kernels. (We were able to talk NetBSD into changing their code, but purging that behavior from the wild completely seems unlikely to happen.) We need to distinguish collision with a pre-existing segment from invalid size request in order to behave sensibly, so it's worth some extra code here to get it right. Per report from Gavin Kistner and subsequent investigation. Back-patch to all supported versions, since any of them could get used with a kernel having the debatable behavior. 01 May 2010, 22:47:00 UTC
d130025 Tom Lane 30 April 2010, 19:16:10 UTC Fix multiple memory leaks in PLy_spi_execute_fetch_result: it would leak memory if the result had zero rows, and also if there was any sort of error while converting the result tuples into Python data. Reported and partially fixed by Andres Freund. Back-patch to all supported versions. Note: I haven't tested the 7.4 fix. 7.4's configure check for python is so obsolete it doesn't work on my current machines :-(. The logic change is pretty straightforward though. 30 April 2010, 19:16:10 UTC
2c862fb Peter Eisentraut 15 April 2010, 20:45:40 UTC IP port -> TCP port backpatched to 8.1, where this first appeared 15 April 2010, 20:45:40 UTC
0783d49 Andrew Dunstan 03 April 2010, 17:54:50 UTC Sync perl's ppport.h on all branches back to 7.4 with recent update on HEAD, ensuring we can build older branches with modern Perl installations. 03 April 2010, 17:54:50 UTC
c383ff4 Tom Lane 02 April 2010, 16:17:18 UTC Ensure that contrib/pgstattuple functions respond to cancel interrupts reasonably promptly, by adding CHECK_FOR_INTERRUPTS in the per-page loops. Tatsuhito Kasahara 02 April 2010, 16:17:18 UTC
03ecb57 Alvaro Herrera 25 March 2010, 14:45:36 UTC Prevent ALTER USER f RESET ALL from removing the settings that were put there by a superuser -- "ALTER USER f RESET setting" already disallows removing such a setting. Apply the same treatment to ALTER DATABASE d RESET ALL when run by a database owner that's not superuser. 25 March 2010, 14:45:36 UTC
40db749 Tom Lane 20 March 2010, 00:58:32 UTC Clear error_context_stack and debug_query_string at the beginning of proc_exit, so that we won't try to attach any context printouts to messages that get emitted while exiting. Per report from Dennis Koegel, the context functions won't necessarily work after we've started shutting down the backend, and it seems possible that debug_query_string could be pointing at freed storage as well. The context information doesn't seem particularly relevant to such messages anyway, so there's little lost by suppressing it. Back-patch to all supported branches. I can only demonstrate a crash with log_disconnections messages back to 8.1, but the risk seems real in 8.0 and before anyway. 20 March 2010, 00:58:32 UTC
dbaaca2 Magnus Hagander 17 March 2010, 18:04:14 UTC Typo fixes. Fujii Masao 17 March 2010, 18:04:14 UTC
53690dc Marc G. Fournier 12 March 2010, 03:51:21 UTC tag 8.1.20 12 March 2010, 03:51:21 UTC
e6bef11 Tom Lane 10 March 2010, 01:59:02 UTC Preliminary release notes for releases 8.4.3, 8.3.10, 8.2.16, 8.1.20, 8.0.24, 7.4.28. 10 March 2010, 01:59:02 UTC
a38c09f Tom Lane 09 March 2010, 22:35:16 UTC Use SvROK(sv) rather than directly checking SvTYPE(sv) == SVt_RV in plperl. The latter is considered unwarranted chumminess with the implementation, and can lead to crashes with recent Perl versions. Report and fix by Tim Bunce. Back-patch to all versions containing the questionable coding pattern. 09 March 2010, 22:35:16 UTC
22ae430 Alvaro Herrera 09 March 2010, 14:31:32 UTC Update time zone data files to tzdata release 2010d: DST law changes in Fiji, Samoa, Chile; corrections to recent changes in Paraguay and Bangladesh. 09 March 2010, 14:31:32 UTC
b2dfc2f Magnus Hagander 08 March 2010, 12:39:29 UTC Add missing space in example. Tim Landscheidt 08 March 2010, 12:39:29 UTC
e52d568 Tom Lane 08 March 2010, 01:18:45 UTC Update time zone data files to tzdata release 2010c: DST law changes in Bangladesh, Mexico, Paraguay. 08 March 2010, 01:18:45 UTC
0a32a06 Tom Lane 06 March 2010, 00:46:13 UTC When reading pg_hba.conf and similar files, do not treat @file as an inclusion unless (1) the @ isn't quoted and (2) the filename isn't empty. This guards against unexpectedly treating usernames or other strings in "flat files" as inclusion requests, as seen in a recent trouble report from Ed L. The empty-filename case would be guaranteed to misbehave anyway, because our subsequent path-munging behavior results in trying to read the directory containing the current input file. I think this might finally explain the report at http://archives.postgresql.org/pgsql-bugs/2004-05/msg00132.php of a crash after printing "authentication file token too long, skipping", since I was able to duplicate that message (though not a crash) on a platform where stdio doesn't refuse to read directories. We never got far in investigating that problem, but now I'm suspicious that the trigger condition was an @ in the flat password file. Back-patch to all active branches since the problem can be demonstrated in all branches except HEAD. The test case, creating a user named "@", doesn't cause a problem in HEAD since we got rid of the flat password file. Nonetheless it seems like a good idea to not consider quoted @ as a file inclusion spec, so I changed HEAD too. 06 March 2010, 00:46:13 UTC
14669da Tom Lane 03 March 2010, 20:31:34 UTC Fix a couple of places that would loop forever if attempts to read a stdio file set ferror() but never set feof(). This is known to be the case for recent glibc when trying to read a directory as a file, and might be true for other platforms/cases too. Per report from Ed L. (There is more that we ought to do about his report, but this is one easily identifiable issue.) 03 March 2010, 20:31:34 UTC
238e6b9 Tom Lane 03 March 2010, 19:10:45 UTC Make contrib/xml2 use core xml.c's error handler, when available (that is, in versions >= 8.3). The core code is more robust and efficient than what was there before, and this also reduces risks involved in swapping different libxml error handler settings. Before 8.3, there is still some risk of problems if add-on modules such as Perl invoke libxml without setting their own error handler. Given the lack of reports I'm not sure there's a risk in practice, so I didn't take the step of actually duplicating the core code into older contrib/xml2 branches. Instead I just tweaked the existing code to ensure it didn't leave a dangling pointer to short-lived memory when throwing an error. 03 March 2010, 19:10:45 UTC
64e19ac Heikki Linnakangas 01 March 2010, 20:56:15 UTC Fix numericlocale psql option when used with a null string and latex and troff formats; a null string must not be formatted as a numeric. The more exotic formats latex and troff also incorrectly formatted all strings as numerics when numericlocale was on. Backpatch to 8.1 where numericlocale option was added. This fixes bug #5355 reported by Andy Lester. 01 March 2010, 20:56:15 UTC
8a0137d Tom Lane 01 March 2010, 18:08:34 UTC Fix contrib/xml2 so regression test still works when it's built without libxslt. This involves modifying the module to have a stable ABI, that is, the xslt_process() function still exists even without libxslt. It throws a runtime error if called, but doesn't prevent executing the CREATE FUNCTION call. This is a good thing anyway to simplify cross-version upgrades. 01 March 2010, 18:08:34 UTC
a8ab473 Tom Lane 01 March 2010, 05:17:01 UTC Remove xmlCleanupParser calls from contrib/xml2. These are unnecessary and probably dangerous. I don't see any immediate risk situations in the core XML support or contrib/xml2 itself, but there could be issues with external uses of libxml2, and in any case it's an accident waiting to happen. 01 March 2010, 05:17:01 UTC
94152f9 Tom Lane 01 March 2010, 03:41:22 UTC Back-patch today's memory management fixups in contrib/xml2. Prior to 8.3, these changes are not critical for compatibility with core Postgres, since core had no libxml2 calls then. However there is still a risk if contrib/xml2 is used along with libxml2 functionality in Perl or other loadable modules. So back-patch to all versions. Also back-patch addition of regression tests. I'm not sure how many of the cases are interesting without the interaction with core xml code, but a silly regression test is still better than none at all. 01 March 2010, 03:41:22 UTC
a360930 Tom Lane 25 February 2010, 23:44:27 UTC Back-patch addition of ssl_renegotiation_limit into 7.4 through 8.1. 25 February 2010, 23:44:27 UTC
26662b7 Itagaki Takahiro 19 February 2010, 01:08:27 UTC Fix STOP WAL LOCATION in backup history files no to return the next segment of XLOG_BACKUP_END record even if the the record is placed at a segment boundary. Furthermore the previous implementation could return nonexistent segment file name when the boundary is in segments that has "FE" suffix; We never use segments with "FF" suffix. Backpatch to 8.0, where hot backup was introduced. Reported by Fujii Masao. 19 February 2010, 01:08:27 UTC
8005df3 Tom Lane 18 February 2010, 23:50:33 UTC Volatile-ize all five places where we expect a PG_TRY block to restore old memory context in plpython. Before only one of them was marked volatile, but per report from Zdenek Kotala, some compilers do the wrong thing here. 18 February 2010, 23:50:33 UTC
d786916 Greg Stark 17 February 2010, 11:35:51 UTC revert prior patch to fsync directories until portability problems exposed by build farm can be sorted out 17 February 2010, 11:35:51 UTC
7f92f7c Greg Stark 14 February 2010, 17:50:34 UTC Make CREATE DATABASE safe against losing whole files by fsyncing the directory and not just the individual files. Back-patch to 8.1 -- before that we just called "cp -r" and never fsynced anything anyways. 14 February 2010, 17:50:34 UTC
38a7ddc Tom Lane 12 February 2010, 19:38:08 UTC Don't choke when exec_move_row assigns a synthesized null to a column that happens to be composite itself. Per bug #5314 from Oleg Serov. Backpatch to 8.0 --- 7.4 has got too many other shortcomings in composite-type support to make this worth worrying about in that branch. 12 February 2010, 19:38:08 UTC
7b537a8 Joe Conway 03 February 2010, 23:02:07 UTC Check to ensure the number of primary key fields supplied does not exceed the total number of non-dropped source table fields for dblink_build_sql_*(). Addresses bug report from Rushabh Lathia. Backpatch all the way to the 7.3 branch. 03 February 2010, 23:02:07 UTC
f54f9ea Tom Lane 01 February 2010, 02:45:55 UTC Change regexp engine's ccondissect/crevdissect routines to perform DFA matching before recursing instead of after. The DFA match eliminates unworkable midpoint choices a lot faster than the recursive check, in most cases, so doing it first can speed things up; particularly in pathological cases such as recently exhibited by Michael Glaesemann. In addition, apply some cosmetic changes that were applied upstream (in the Tcl project) at the same time, in order to sync with upstream version 1.15 of regexec.c. Upstream apparently intends to backpatch this, so I will too. The pathological behavior could be unpleasant if encountered in the field, which seems to justify any risk of introducing new bugs. Tom Lane, reviewed by Donal K. Fellows of Tcl project 01 February 2010, 02:45:55 UTC
d86bd9a Tom Lane 30 January 2010, 20:10:16 UTC Avoid performing encoding conversion on command tag strings during EndCommand. Since all current and foreseeable future command tags will be pure ASCII, there is no need to do conversion on them. This saves a few cycles and also avoids polluting otherwise-pristine subtransaction memory contexts, which is the cause of the backend memory leak exhibited in bug #5302. (Someday we'll probably want to have a better method of determining whether subtransaction contexts need to be kept around, but today is not that day.) Backpatch to 8.0. The cycle-shaving aspect of this would work in 7.4 too, but without subtransactions the memory-leak aspect doesn't apply, so it doesn't seem worth touching 7.4. 30 January 2010, 20:10:16 UTC
00ef17e Tom Lane 25 January 2010, 01:58:40 UTC Apply Tcl_Init() to the "hold" interpreter created by pltcl. You might think this is unnecessary since that interpreter is never used to run code --- but it turns out that's wrong. As of Tcl 8.5, the "clock" command (alone among builtin Tcl commands) is partially implemented by loaded-on-demand Tcl code, which means that it fails if there's not unknown-command support, and also that it's impossible to run it directly in a safe interpreter. The way they get around the latter is that Tcl_CreateSlave() automatically sets up an alias command that forwards any execution of "clock" in a safe slave interpreter to its parent interpreter. Thus, when attempting to execute "clock" in trusted pltcl, the command actually executes in the "hold" interpreter, where it will fail if unknown-command support hasn't been introduced by sourcing the standard init.tcl script, which is done by Tcl_Init(). (This is a pretty dubious design decision on the Tcl boys' part, if you ask me ... but they didn't.) Back-patch all the way. It's not clear that anyone would try to use ancient versions of pltcl with a recent Tcl, but it's not clear they wouldn't, either. Also add a regression test using "clock", in branches that have regression test support for pltcl. Per recent trouble report from Kyle Bateman. 25 January 2010, 01:58:40 UTC
d5d0a67 Tom Lane 24 January 2010, 21:49:58 UTC Fix assorted core dumps and Assert failures that could occur during AbortTransaction or AbortSubTransaction, when trying to clean up after an error that prevented (sub)transaction start from completing: * access to TopTransactionResourceOwner that might not exist * assert failure in AtEOXact_GUC, if AtStart_GUC not called yet * assert failure or core dump in AfterTriggerEndSubXact, if AfterTriggerBeginSubXact not called yet Per testing by injecting elog(ERROR) at successive steps in StartTransaction and StartSubTransaction. It's not clear whether all of these cases could really occur in the field, but at least one of them is easily exposed by simple stress testing, as per my accidental discovery yesterday. 24 January 2010, 21:49:58 UTC
8ecbda7 Tom Lane 23 January 2010, 21:29:23 UTC Insert CHECK_FOR_INTERRUPTS calls into loops in dbsize.c, to ensure that the various disk-size-reporting functions will respond to query cancel reasonably promptly even in very large databases. Per report from Kevin Grittner. 23 January 2010, 21:29:23 UTC
ae76ee9 Tom Lane 07 January 2010, 19:53:32 UTC Make bit/varbit substring() treat any negative length as meaning "all the rest of the string". The previous coding treated only -1 that way, and would produce an invalid result value for other negative values. We ought to fix it so that 2-parameter bit substring() is a different C function and the 3-parameter form throws error for negative length, but that takes a pg_proc change which is impractical in the back branches; and in any case somebody might be relying on -1 working this way. So just do this as a back-patchable fix. 07 January 2010, 19:53:32 UTC
c79a6b1 Heikki Linnakangas 29 December 2009, 20:49:37 UTC Remove a now unused local variable. 29 December 2009, 20:49:37 UTC
56a87f2 Heikki Linnakangas 29 December 2009, 17:41:35 UTC Previous fix for temporary file management broke returning a set from PL/pgSQL function within an exception handler. Make sure we use the right resource owner when we create the tuplestore to hold returned tuples. Simplify tuplestore API so that the caller doesn't need to be in the right memory context when calling tuplestore_put* functions. tuplestore.c automatically switches to the memory context used when the tuplestore was created. Tuplesort was already modified like this earlier. This patch also removes the now useless MemoryContextSwitch calls from callers. Report by Aleksei on pgsql-bugs on Dec 22 2009. Backpatch to 8.1, like the previous patch that broke this. 29 December 2009, 17:41:35 UTC
3bd13da Tom Lane 12 December 2009, 19:25:04 UTC Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits. This has been wrong since I first wrote that code for 8.0 :-(. Kudos to Roman Kononov for being the first to notice, though I didn't use his patch. Per bug #5237. 12 December 2009, 19:25:04 UTC
c89eec5 Marc G. Fournier 10 December 2009, 03:15:17 UTC tag 8.1.19 10 December 2009, 03:15:17 UTC
ce07e3f Tom Lane 10 December 2009, 00:31:52 UTC Update release notes for releases 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, 7.4.27. 10 December 2009, 00:31:52 UTC
613981b Tom Lane 09 December 2009, 21:58:44 UTC Prevent indirect security attacks via changing session-local state within an allegedly immutable index function. It was previously recognized that we had to prevent such a function from executing SET/RESET ROLE/SESSION AUTHORIZATION, or it could trivially obtain the privileges of the session user. However, since there is in general no privilege checking for changes of session-local state, it is also possible for such a function to change settings in a way that might subvert later operations in the same session. Examples include changing search_path to cause an unexpected function to be called, or replacing an existing prepared statement with another one that will execute a function of the attacker's choosing. The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against these threats, which are the same places previously deemed to need protection against the SET ROLE issue. GUC changes are still allowed, since there are many useful cases for that, but we prevent security problems by forcing a rollback of any GUC change after completing the operation. Other cases are handled by throwing an error if any change is attempted; these include temp table creation, closing a cursor, and creating or deleting a prepared statement. (In 7.4, the infrastructure to roll back GUC changes doesn't exist, so we settle for rejecting changes of "search_path" in these contexts.) Original report and patch by Gurjeet Singh, additional analysis by Tom Lane. Security: CVE-2009-4136 09 December 2009, 21:58:44 UTC
d585483 Magnus Hagander 09 December 2009, 06:37:17 UTC Reject certificates with embedded NULLs in the commonName field. This stops attacks where an attacker would put <attack>\0<propername> in the field and trick the validation code that the certificate was for <attack>. This is a very low risk attack since it reuqires the attacker to trick the CA into issuing a certificate with an incorrect field, and the common PostgreSQL deployments are with private CAs, and not external ones. Also, default mode in 8.4 does not do any name validation, and is thus also not vulnerable - but the higher security modes are. Backpatch all the way. Even though versions 8.3.x and before didn't have certificate name validation support, they still exposed this field for the user to perform the validation in the application code, and there is no way to detect this problem through that API. Security: CVE-2009-4034 09 December 2009, 06:37:17 UTC
8510e7e Tom Lane 09 December 2009, 00:36:29 UTC Update time zone data files to tzdata release 2009s: DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria. Also historical corrections for Hong Kong. 09 December 2009, 00:36:29 UTC
f1f6a48 Peter Eisentraut 08 December 2009, 21:58:30 UTC Translation updates 08 December 2009, 21:58:30 UTC
back to top