Tom Lane [Wed, 11 Oct 2006 20:21:28 +0000 (20:21 +0000)]
Repair incorrect check for coercion of unknown literal to ANYARRAY, a bug
I introduced in 7.4.1 :-(. It's correct to allow unknown to be coerced to
ANY or ANYELEMENT, since it's a real-enough data type, but it most certainly
isn't an array datatype. This can cause a backend crash but AFAICT is not
exploitable as a security hole. Per report from Michael Fuhr.
Note: as fixed in HEAD, this changes a constant in the pg_stats view,
resulting in a change in the expected regression outputs. The back-branch
patches have been hacked to avoid that, so that pre-existing installations
won't start failing their regression tests.
Tom Lane [Wed, 11 Oct 2006 20:03:26 +0000 (20:03 +0000)]
CREATE TABLE ... LIKE ... should mark the columns it creates with
attislocal = true, since they are not really inherited but merely copied
from the original table. I'm not sure if there are any cases where it makes
a real difference given the existing uses of the flag, but wrong is wrong.
This was fixed in passing in HEAD by the LIKE INCLUDING CONSTRAINTS patch,
but never back-patched.
Tom Lane [Tue, 10 Oct 2006 16:15:37 +0000 (16:15 +0000)]
Fix psql \d commands to behave properly when a pattern using regex | is given.
Formerly they'd emit '^foo|bar$' which is wrong because the anchors are
parsed as part of the alternatives; must emit '^(foo|bar)$' to get expected
behavior. Same as bug found previously in similar_escape(). Already fixed
in HEAD, this is just back-porting the part of that patch that was a bug fix.
Tom Lane [Mon, 9 Oct 2006 01:45:57 +0000 (01:45 +0000)]
Fix back-branch pg_regress scripts to try the "canonical" expected file if we
tried a variant file from resultmap and it didn't match. This is already done
in HEAD's C-code version, and is needed because OpenBSD has recently migrated
to a more standard handling of float underflow --- see buildfarm results
from emu.
Tom Lane [Sat, 7 Oct 2006 22:21:57 +0000 (22:21 +0000)]
Fix ancient oversight in psql's \d pattern processing code: when seeing two
quote chars inside quote marks, should emit one quote *and stay in inquotes
mode*. No doubt the lack of reports of this have something to do with the
poor documentation of the feature ...
Tom Lane [Sat, 7 Oct 2006 00:12:12 +0000 (00:12 +0000)]
Fix string_to_array() to correctly handle the case where there are
overlapping possible matches for the separator string, such as
string_to_array('123xx456xxx789', 'xx').
Also, revise the logic of replace(), split_part(), and string_to_array()
to avoid O(N^2) work from redundant searches and conversions to pg_wchar
format when there are N matches to the separator string.
Backpatched the full patch as far as 8.0. 7.4 also has the bug, but the
code has diverged a lot, so I just went for a quick-and-dirty fix of the
bug itself in that branch.
Tom Lane [Thu, 31 Aug 2006 17:31:55 +0000 (17:31 +0000)]
Clean up rather sloppy fix in HEAD for the ancient bug that CREATE CONVERSION
didn't create a dependency from the new conversion to its schema. Back-patch
to all supported releases.
Bruce Momjian [Thu, 6 Jul 2006 02:02:48 +0000 (02:02 +0000)]
Fix dbmirror for new backslash escaping:
Martin Pitt [2006-06-16 0:15 +0200]:
> Upstream confirmed my reply in the last mail in [1]: the complete
> escaping logic in DBMirror.pl is seriously screwew.
>
> [1] http://archives.postgresql.org/pgsql-bugs/2006-06/msg00065.php
I finally found some time to debug this, and I think I found a better
patch than the one you proposed. Mine is still hackish and is still a
workaround around a proper quoting solution, but at least it repairs
the parsing without introducing the \' quoting again.
I consider this a band-aid patch to fix the recent security update.
PostgreSQL gurus, would you consider applying this until a better
solution is found for DBMirror.pl?
Tom Lane [Thu, 1 Jun 2006 04:10:25 +0000 (04:10 +0000)]
Pre-8.0 branches need to cope with possibility that the system libc knows
about the recent changes in US DST law. Add a variant horology file, so
that either the old or new rules will be considered valid test results.
Tom Lane [Sun, 21 May 2006 20:20:24 +0000 (20:20 +0000)]
Modify libpq's string-escaping routines to be aware of encoding considerations
and standard_conforming_strings. The encoding changes are needed for proper
escaping in multibyte encodings, as per the SQL-injection vulnerabilities
noted in CVE-2006-2313 and CVE-2006-2314. Concurrent fixes are being applied
to the server to ensure that it rejects queries that may have been corrupted
by attempted SQL injection, but this merely guarantees that unpatched clients
will fail rather than allow injection. An actual fix requires changing the
client-side code. While at it we have also fixed these routines to understand
about standard_conforming_strings, so that the upcoming changeover to SQL-spec
string syntax can be somewhat transparent to client code.
Since the existing API of PQescapeString and PQescapeBytea provides no way to
inform them which settings are in use, these functions are now deprecated in
favor of new functions PQescapeStringConn and PQescapeByteaConn. The new
functions take the PGconn to which the string will be sent as an additional
parameter, and look inside the connection structure to determine what to do.
So as to provide some functionality for clients using the old functions,
libpq stores the latest encoding and standard_conforming_strings values
received from the backend in static variables, and the old functions consult
these variables. This will work reliably in clients using only one Postgres
connection at a time, or even multiple connections if they all use the same
encoding and string syntax settings; which should cover many practical
scenarios.
Clients that use homebrew escaping methods, such as PHP's addslashes()
function or even hardwired regexp substitution, will require extra effort
to fix :-(. It is strongly recommended that such code be replaced by use of
PQescapeStringConn/PQescapeByteaConn if at all feasible.
Tom Lane [Sun, 21 May 2006 20:11:58 +0000 (20:11 +0000)]
Add a new GUC parameter backslash_quote, which determines whether the SQL
parser will allow "\'" to be used to represent a literal quote mark. The
"\'" representation has been deprecated for some time in favor of the
SQL-standard representation "''" (two single quote marks), but it has been
used often enough that just disallowing it immediately won't do. Hence
backslash_quote allows the settings "on", "off", and "safe_encoding",
the last meaning to allow "\'" only if client_encoding is a valid server
encoding. That is now the default, and the reason is that in encodings
such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a
multibyte character, accepting "\'" allows SQL-injection attacks as per
CVE-2006-2314 (further details will be published after release). The
"on" setting is available for backward compatibility, but it must not be
used with clients that are exposed to untrusted input.
Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.
Tom Lane [Sun, 21 May 2006 20:06:45 +0000 (20:06 +0000)]
Change the backend to reject strings containing invalidly-encoded multibyte
characters in all cases. Formerly we mostly just threw warnings for invalid
input, and failed to detect it at all if no encoding conversion was required.
The tighter check is needed to defend against SQL-injection attacks as per
CVE-2006-2313 (further details will be published after release). Embedded
zero (null) bytes will be rejected as well. The checks are applied during
input to the backend (receipt from client or COPY IN), so it no longer seems
necessary to check in textin() and related routines; any string arriving at
those functions will already have been validated. Conversion failure
reporting (for characters with no equivalent in the destination encoding)
has been cleaned up and made consistent while at it.
Also, fix a few longstanding errors in little-used encoding conversion
routines: win1251_to_iso, win866_to_iso, euc_tw_to_big5, euc_tw_to_mic,
mic_to_euc_tw were all broken to varying extents.
Patches by Tatsuo Ishii and Tom Lane. Thanks to Akio Ishida and Yasuo Ohgaki
for identifying the security issues.
Tom Lane [Fri, 19 May 2006 16:31:05 +0000 (16:31 +0000)]
Fix nasty bug in nodeIndexscan.c's detection of duplicate tuples during
a multiple (OR'ed) indexscan. It was checking for duplicate
tuple->t_data->t_ctid, when what it should be checking is tuple->t_self.
The trouble situation occurs when a live tuple has t_ctid not pointing to
itself, which can happen if an attempted UPDATE was rolled back. After a
VACUUM, an unrelated tuple could be installed where the failed update tuple
was, leading to one live tuple's t_ctid pointing to an unrelated tuple.
If one of these tuples is fetched by an earlier OR'ed indexscan and the other
by a later indexscan, nodeIndexscan.c would incorrectly ignore the second
tuple. The bug exists in all 7.4.* and 8.0.* versions, but not in earlier
or later branches because this code was only used in those releases. Per
trouble report from Rafael Martinez Guerrero.
Tom Lane [Fri, 12 May 2006 22:44:58 +0000 (22:44 +0000)]
Fix the sense of the test on DH_check()'s return value. This was preventing
custom-generated DH parameters from actually being used by the server.
Found by Michael Fuhr.
Tom Lane [Wed, 19 Apr 2006 16:15:52 +0000 (16:15 +0000)]
Fix ancient memory leak in PQprintTuples(); our code no longer uses this
routine, but perhaps some applications do. Found by Martijn van Oosterhout
using Coverity.
Tom Lane [Thu, 13 Apr 2006 18:01:53 +0000 (18:01 +0000)]
Fix similar_escape() so that SIMILAR TO works properly for patterns involving
alternatives ("|" symbol). The original coding allowed the added ^ and $
constraints to be absorbed into the first and last alternatives, producing
a pattern that would match more than it should. Per report from Eric Noriega.
I also changed the pattern to add an ARE director ("***:"), ensuring that
SIMILAR TO patterns do not change behavior if regex_flavor is changed. This
is necessary to make the non-capturing parentheses work, and seems like a
good idea on general principles.
Back-patched as far as 7.4. 7.3 also has the bug, but a fix seems impractical
because that version's regex engine doesn't have non-capturing parens.
Tom Lane [Tue, 28 Mar 2006 21:17:58 +0000 (21:17 +0000)]
Repair longstanding error in btree xlog replay: XLogReadBuffer should be
passed extend = true whenever we are reading a page we intend to reinitialize
completely, even if we think the page "should exist". This is because it
might indeed not exist, if the relation got truncated sometime after the
current xlog record was made and before the crash we're trying to recover
from. These two thinkos appear to explain both of the old bug reports
discussed here:
http://archives.postgresql.org/pgsql-hackers/2005-05/msg01369.php
Neil Conway [Mon, 20 Feb 2006 20:10:45 +0000 (20:10 +0000)]
Fix three Python reference leaks in PLy_traceback(). This would result
in leaking memory when invoking a PL/Python procedure that raises an
exception. Unfortunately this still leaks memory, but at least the
largest leak has been plugged.
This patch also fixes a reference counting mistake in PLy_modify_tuple()
for 8.0, 8.1 and HEAD: we don't actually own a reference to `platt', so
we shouldn't Py_DECREF() it.
Neil Conway [Sat, 18 Feb 2006 20:49:00 +0000 (20:49 +0000)]
Patch from Marko Kreen:
pgcrypto crypt()/md5 and hmac() leak memory when compiled against
OpenSSL as openssl.c digest ->reset will do two DigestInit calls
against a context. This happened to work with OpenSSL 0.9.6
but not with 0.9.7+.
Reason for the messy code was that I tried to avoid creating
wrapper structure to transport algorithm info and tried to use
OpenSSL context for it. The fix is to create wrapper structure.
It also uses newer digest API to avoid memory allocations
on reset with newer OpenSSLs.
Tom Lane [Sun, 12 Feb 2006 22:33:29 +0000 (22:33 +0000)]
Fix bug in SET SESSION AUTHORIZATION that allows unprivileged users to crash
the server, if it has been compiled with Asserts enabled (CVE-2006-0553).
Thanks to Akio Ishida for reporting this problem.
Tom Lane [Sat, 21 Jan 2006 04:38:46 +0000 (04:38 +0000)]
Repair longstanding bug in slru/clog logic: it is possible for two backends
to try to create a log segment file concurrently, but the code erroneously
specified O_EXCL to open(), resulting in a needless failure. Before 7.4,
it was even a PANIC condition :-(. Correct code is actually simpler than
what we had, because we can just say O_CREAT to start with and not need a
second open() call. I believe this accounts for several recent reports of
hard-to-reproduce "could not create file ...: File exists" errors in both
pg_clog and pg_subtrans.
Tom Lane [Thu, 12 Jan 2006 21:49:32 +0000 (21:49 +0000)]
Repair "Halloween problem" in EvalPlanQual: a tuple that's been inserted by
our own command (or more generally, xmin = our xact and cmin >= current
command ID) should not be seen as good. Else we may try to update rows
we already updated. This error was inserted last August while fixing the
even bigger problem that the old coding wouldn't see *any* tuples inserted
by our own transaction as good. Per report from Euler Taveira de Oliveira.
Tom Lane [Thu, 12 Jan 2006 19:24:27 +0000 (19:24 +0000)]
Use a more bulletproof test for whether finite() and isinf() are present.
It seems that recent gcc versions can optimize away calls to these functions
even when the functions do not exist on the platform, resulting in a bogus
positive result. Avoid this by using a non-constant argument and ensuring
that the function result is not simply discarded. Per report from
François Laupretre.
Tom Lane [Mon, 9 Jan 2006 21:16:46 +0000 (21:16 +0000)]
Fix pg_dump to add the required OPERATOR() decoration to schema-qualified
operator names. This is needed when dumping operator definitions that have
COMMUTATOR (or similar) links to operators in other schemas.
Apparently Daniel Whitter is the first person ever to try this :-(
Joe Conway [Tue, 3 Jan 2006 23:48:04 +0000 (23:48 +0000)]
When the remote query result has a different number of columns
than the local query specifies (e.g. in the FROM clause),
throw an ERROR (instead of crashing). Fix for bug #2129 reported
by Akio Iwaasa.
Tom Lane [Tue, 3 Jan 2006 23:46:51 +0000 (23:46 +0000)]
There is a signedness bug in Openwall gen_salt code that pgcrypto uses.
This makes the salt space for md5 and xdes algorithms a lot smaller than
it should be.
Neil Conway [Sun, 1 Jan 2006 10:14:27 +0000 (10:14 +0000)]
Remove DOS line endings ("\r\n") from several .po files. DOS line endings
are inconsistent with the rest of the .po files, and apparently cause
problems for Sun's cc. Per report on IRC from "bitvector2".
Tatsuo Ishii [Sat, 24 Dec 2005 10:40:55 +0000 (10:40 +0000)]
Fix long standing Asian multibyte charsets bug.
See:
Subject: [HACKERS] bugs with certain Asian multibyte charsets
From: Tatsuo Ishii <ishii@sraoss.co.jp>
To: pgsql-hackers@postgresql.org
Date: Sat, 24 Dec 2005 18:25:33 +0900 (JST)
Tom Lane [Thu, 22 Dec 2005 22:50:22 +0000 (22:50 +0000)]
Adjust string comparison so that only bitwise-equal strings are considered
equal: if strcoll claims two strings are equal, check it with strcmp, and
sort according to strcmp if not identical. This fixes inconsistent
behavior under glibc's hu_HU locale, and probably under some other locales
as well. Also, take advantage of the now-well-defined behavior to speed up
texteq, textne, bpchareq, bpcharne: they may as well just do a bitwise
comparison and not bother with strcoll at all.
NOTE: affected databases may need to REINDEX indexes on text columns to be
sure they are self-consistent.
Tom Lane [Wed, 14 Dec 2005 17:07:00 +0000 (17:07 +0000)]
Defend against crash while processing Describe Statement or Describe Portal
messages, when client attempts to execute these outside a transaction (start
one) or in a failed transaction (reject message, except for COMMIT/ROLLBACK
statements which we can handle). Per report from Francisco Figueiredo Jr.
Tom Lane [Tue, 6 Dec 2005 16:59:22 +0000 (16:59 +0000)]
In a nestloop inner indexscan, it's OK to use pushed-down baserestrictinfo
clauses even if it's an outer join. This is a corner case since such
clauses could only arise from weird OUTER JOIN ON conditions, but worth
fixing. Per example from Ron at cheapcomplexdevices.com.
Tom Lane [Fri, 18 Nov 2005 23:08:43 +0000 (23:08 +0000)]
Fix performance issue in exprTypmod(): for a COALESCE expression, it
recursed twice on its first argument, leading to exponential time spent
on a deep nest of COALESCEs ... such as a deeply nested FULL JOIN would
produce. Per report from Matt Carter.
Tom Lane [Thu, 10 Nov 2005 00:31:59 +0000 (00:31 +0000)]
When in transaction-aborted state, reject Bind message for portals containing
anything but transaction-exiting commands (ROLLBACK etc). We already rejected
Parse and Execute in such cases, so there seems little point in allowing Bind.
This prevents at least an Assert failure, and probably worse things, since
there's a lot of infrastructure that doesn't work when not in a live
transaction. We can also simplify the Bind logic a bit by rejecting messages
with a nonzero number of parameters, instead of the former kluge to silently
substitute NULL for each parameter. Per bug #2033 from Joel Stevenson.
Tom Lane [Thu, 3 Nov 2005 00:23:50 +0000 (00:23 +0000)]
Fix longstanding race condition in transaction log management: there was a
very narrow window in which SimpleLruReadPage or SimpleLruWritePage could
think that I/O was needed when it wasn't (and indeed the buffer had already
been assigned to another page). This would result in an Assert failure if
Asserts were enabled, and probably in silent data corruption if not.
Reported independently by Jim Nasby and Robert Creager.
I intend a more extensive fix when 8.2 development starts, but this is a
reasonably low-impact patch for the existing branches.
Tom Lane [Tue, 25 Oct 2005 20:30:45 +0000 (20:30 +0000)]
Fix longstanding bug that would sometimes let the planner generate a bad plan
for an outer join; symptom is bogus error "RIGHT JOIN is only supported with
merge-joinable join conditions". Problem was that select_mergejoin_clauses
did its tests in the wrong order. We need to force left join not right join
for a merge join when there are non-mergeable join clauses; but the test for
this only accounted for mergejoinability of the clause operator, and not
whether the left and right Vars were of the proper relations. Per report
from Jean-Pierre Pelletier.
Tom Lane [Thu, 20 Oct 2005 01:31:50 +0000 (01:31 +0000)]
Don't convert debug/notice/warning messages into errors just because
they occur inside error processing. This is a back-port of a logic
change already present in 8.0. Partial fix for bug#1976 --- doesn't
cure the wrong-encoding problem, but at least stops it from causing
unintended ERRORs.
Tom Lane [Fri, 14 Oct 2005 16:41:28 +0000 (16:41 +0000)]
Pass a strdup'd ident string to openlog(), to ensure that reallocation
of GUC memory doesn't cause us to start emitting a bogus ident string.
Per report from Han Holl. Also some trivial code cleanup in write_syslog.
Tom Lane [Wed, 12 Oct 2005 17:18:31 +0000 (17:18 +0000)]
Fix longstanding bug found by Atsushi Ogawa: _bt_check_unique would mark
the wrong buffer dirty when trying to kill a dead index entry that's on
a page after the one it started on. No risk of data corruption, just
inefficiency, but still a bug.
Tom Lane [Wed, 28 Sep 2005 21:17:50 +0000 (21:17 +0000)]
Repair planning bug introduced in 7.4: outer-join ON clauses that referenced
only the inner-side relation would be considered as potential equijoin clauses,
which is wrong because the condition doesn't necessarily hold above the point
of the outer join. Per test case from Kevin Grittner (bug#1916).
Bruce Momjian [Sun, 25 Sep 2005 03:18:16 +0000 (03:18 +0000)]
[ Patch to 7.4.X.]
In several places PL/Python was calling PyObject_Str() and then
PyString_AsString() without checking if the former had returned
NULL to indicate an error. PyString_AsString() doesn't expect a
NULL argument, so passing one causes a segmentation fault. This
patch adds checks for NULL and raises errors via PLy_elog(), which
prints details of the underlying Python exception. The patch also
adds regression tests for these checks. All tests pass on my
Solaris 9 box running HEAD and Python 2.4.1.
Update Snowball. I have to update it because of
old version doesn't available on Snowball's site and new version
of stemmers can't be compiled with old interface.
Tom Lane [Thu, 25 Aug 2005 22:07:21 +0000 (22:07 +0000)]
Back-patch fixes for problems with VACUUM destroying t_ctid chains too soon,
and with insufficient paranoia in code that follows t_ctid links.
This patch covers the 7.4 branch.
projects / postgresql / log