Barry Lind [Thu, 24 Jul 2003 00:30:39 +0000 (00:30 +0000)]
Fixes additional sql injection vulnerabilities reported by Oliver Jowett
and Dmitry Tkach. Specifically the previous fix still allowed the statement termination character through in unquoted places in the sql statement, and the driver never correctly handled someone passing a value of \0 in a string which under the v2 protocol would end the statement causing the following text to possibly
be treated as a new sql statement
Modified Files:
jdbc/org/postgresql/Driver.java.in
jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
Tom Lane [Wed, 23 Jul 2003 23:30:41 +0000 (23:30 +0000)]
Have a go at fixing various outstanding portability issues in code that
was modified for IPv6. Use a robust definition of struct sockaddr_storage,
do a proper configure test to see if ss_len exists, don't assume that
getnameinfo() will handle AF_UNIX sockets, don't trust getaddrinfo to
return the protocol we ask for, etc. This incorporates several outstanding
patches from Kurt Roeckx, but I'm to blame for anything that doesn't
work ...
Barry Lind [Tue, 22 Jul 2003 05:17:09 +0000 (05:17 +0000)]
Fix to prevent SQL injection attacks for code calling setObject(int,Object,int)
where Object is a user supplied String and the type is a numeric type
(i.e. INTEGER,LONG,etc).
Also applied a patch from Kim Ho that fixes compile problems under jdk1.2
Bruce Momjian [Fri, 18 Jul 2003 03:45:06 +0000 (03:45 +0000)]
Stephen Robert Norris wrote:
> Well, no. What it says is that certain values must be escaped (but
> doesn't say which ones). Then it says there are alternate escape
> sequences for some values, which it lists.
>
> It doesn't say "The following table contains the characters which must
> be escaped:", which would be much clearer (and actually useful).
Attached documentation patch updates the wording for bytea input
escaping, per complaint by Stephen Norris above.
Tom Lane [Fri, 18 Jul 2003 03:21:53 +0000 (03:21 +0000)]
It seems some case-insensitive locales sort upper case before lower
(BBBB before bbbb) and others the other way around. Provide comparison
files that cater to both approaches.
Tom Lane [Thu, 17 Jul 2003 22:28:42 +0000 (22:28 +0000)]
Add an upper limit to IS_VALID_JULIAN() to defend against overflow in
date2j(). This ensures we give reasonable errors instead of bizarre
behavior for input dates far in the future.
Tom Lane [Thu, 17 Jul 2003 20:13:57 +0000 (20:13 +0000)]
For COMMENT ON DATABASE where database name is unknown or not the current
database, emit a WARNING and do nothing, rather than raising ERROR.
Per recent discussion in which we concluded this is the best way to deal
with database dumps that are reloaded into a database of a new name.
Tom Lane [Thu, 17 Jul 2003 16:45:04 +0000 (16:45 +0000)]
Repair boundary-case bug introduced by patch of two months ago that
fixed incorrect initial setting of StartUpID. The logic in XLogWrite()
expects that Write->curridx is advanced to the next page as soon as
LogwrtResult points to the end of the current page, but StartupXLOG()
failed to make that happen when the old WAL ended exactly on a page
boundary. Per trouble report from Hannu Krosing.
Tom Lane [Thu, 17 Jul 2003 00:55:37 +0000 (00:55 +0000)]
Make EXTRACT(TIMEZONE) and SET/SHOW TIMEZONE follow the SQL convention
for the sign of timezone offsets, ie, positive is east from UTC. These
were previously out of step with other operations that accept or show
timezones, such as I/O of timestamptz values.
Tom Lane [Wed, 16 Jul 2003 17:25:48 +0000 (17:25 +0000)]
Add defenses against trying to attach qual conditions to a setOperation
query node, since that won't work unless the planner is upgraded.
Someday we should try to support at least some cases of this, but for
now just plug the hole in the dike. Per discussion with Dmitry Tkach.
Tom Lane [Tue, 15 Jul 2003 19:19:56 +0000 (19:19 +0000)]
Cause SHOW DATESTYLE to produce a string that will be accepted by SET
DATESTYLE, for instance 'SQL, European' instead of
'SQL with European conventions'. Per gripe a month or two back from
Barry Lind.
Tom Lane [Tue, 15 Jul 2003 17:54:34 +0000 (17:54 +0000)]
Avoid use of int64_t, which seems not to be very portable. Simplify
padding logic for struct sockaddr_storage --- original version did not
do what it claimed to when SALEN is defined.
Tom Lane [Tue, 15 Jul 2003 00:11:14 +0000 (00:11 +0000)]
Tweak original coding so that we can determine the platform-specific
shared_buffers and max_connections values to use before we run the
bootstrap process. Without this, initdb would fail on platforms where
the hardwired default values are too large. (We could get around that
by making the hardwired defaults tiny, perhaps, but why slow down
bootstrap by starving it for buffers...)
Tom Lane [Mon, 14 Jul 2003 22:35:54 +0000 (22:35 +0000)]
Make cost estimates for SubqueryScan more realistic: charge cpu_tuple_cost
for each row processed, and don't forget the evaluation cost of any
restriction clauses attached to the node. Per discussion with Greg Stark.
Tom Lane [Mon, 14 Jul 2003 20:00:23 +0000 (20:00 +0000)]
The default values for shared_buffers and max_connections are now 1000
and 100 respectively, if the platform will allow it. initdb selects
values that are not too large to allow the postmaster to start, and
places these values in the installed postgresql.conf file. This allows
us to continue to start up out-of-the-box on platforms with small SHMMAX,
while having somewhat-realistic default settings on platforms with
reasonable SHMMAX. Per recent pghackers discussion.
Tom Lane [Fri, 4 Jul 2003 18:21:14 +0000 (18:21 +0000)]
tm2timestamp should return -1, not elog, on overflow. (In the backend
this is merely an API inconsistency, but in ecpg it's fatal.) Also,
fix misconceived overflow test in HAVE_INT64_TIMESTAMP case.
Tom Lane [Fri, 4 Jul 2003 16:41:22 +0000 (16:41 +0000)]
Add --help-config facility to dump information about GUC parameters
without needing a running backend. Reorder postgresql.conf.sample
to match new layout of runtime.sgml. This commit re-adds work lost
in Wednesday's crash.
Tom Lane [Fri, 4 Jul 2003 02:51:34 +0000 (02:51 +0000)]
Some early work on error message editing. Operator-not-found and
function-not-found messages now distinguish the cases no-match and
ambiguous-match, and they follow the style guidelines too.
Tom Lane [Thu, 3 Jul 2003 19:41:47 +0000 (19:41 +0000)]
Fix bug I introduced in recent rewrite of NUMERIC code: numeric to
integer conversions gave the wrong answer for values with stripped
trailing zeroes, such as 10000000.