rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/contrib/citext/citext--unpackaged--1.0.sql

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

214 lines
10 KiB
MySQL
Raw Normal View History

Convert contrib modules to use the extension facility. This isn't fully tested as yet, in particular I'm not sure that the "foo--unpackaged--1.0.sql" scripts are OK. But it's time to get some buildfarm cycles on it. sepgsql is not converted to an extension, mainly because it seems to require a very nonstandard installation process. Dimitri Fontaine and Tom Lane
2011-02-14 02:06:41 +01:00
/* contrib/citext/citext--unpackaged--1.0.sql */
Throw a useful error message if an extension script file is fed to psql. We have seen one too many reports of people trying to use 9.1 extension files in the old-fashioned way of sourcing them in psql. Not only does that usually not work (due to failure to substitute for MODULE_PATHNAME and/or @extschema@), but if it did work they'd get a collection of loose objects not an extension. To prevent this, insert an \echo ... \quit line that prints a suitable error message into each extension script file, and teach commands/extension.c to ignore lines starting with \echo. That should not only prevent any adverse consequences of loading a script file the wrong way, but make it crystal clear to users that they need to do it differently now. Tom Lane, following an idea of Andrew Dunstan's. Back-patch into 9.1 ... there is not going to be much value in this if we wait till 9.2.
2011-10-12 21:45:03 +02:00
-- complain if script is sourced in psql, rather than via CREATE EXTENSION
Fix typos in some error messages thrown by extension scripts when fed to psql. Some of the many error messages introduced in 458857cc missed 'FROM unpackaged'. Also e016b724 and 45ffeb7e forgot to quote extension version numbers. Backpatch to 9.1, just like 458857cc which introduced the messages. Do so because the error messages thrown when the wrong command is copy & pasted aren't easy to understand.
2014-08-25 18:30:37 +02:00
\echo Use "CREATE EXTENSION citext FROM unpackaged" to load this file. \quit
Throw a useful error message if an extension script file is fed to psql. We have seen one too many reports of people trying to use 9.1 extension files in the old-fashioned way of sourcing them in psql. Not only does that usually not work (due to failure to substitute for MODULE_PATHNAME and/or @extschema@), but if it did work they'd get a collection of loose objects not an extension. To prevent this, insert an \echo ... \quit line that prints a suitable error message into each extension script file, and teach commands/extension.c to ignore lines starting with \echo. That should not only prevent any adverse consequences of loading a script file the wrong way, but make it crystal clear to users that they need to do it differently now. Tom Lane, following an idea of Andrew Dunstan's. Back-patch into 9.1 ... there is not going to be much value in this if we wait till 9.2.
2011-10-12 21:45:03 +02:00
Convert contrib modules to use the extension facility. This isn't fully tested as yet, in particular I'm not sure that the "foo--unpackaged--1.0.sql" scripts are OK. But it's time to get some buildfarm cycles on it. sepgsql is not converted to an extension, mainly because it seems to require a very nonstandard installation process. Dimitri Fontaine and Tom Lane
2011-02-14 02:06:41 +01:00
ALTER EXTENSION citext ADD type citext;
ALTER EXTENSION citext ADD function citextin(cstring);
ALTER EXTENSION citext ADD function citextout(citext);
ALTER EXTENSION citext ADD function citextrecv(internal);
ALTER EXTENSION citext ADD function citextsend(citext);
ALTER EXTENSION citext ADD function citext(character);
ALTER EXTENSION citext ADD function citext(boolean);
ALTER EXTENSION citext ADD function citext(inet);
ALTER EXTENSION citext ADD cast (citext as text);
ALTER EXTENSION citext ADD cast (citext as character varying);
ALTER EXTENSION citext ADD cast (citext as character);
ALTER EXTENSION citext ADD cast (text as citext);
ALTER EXTENSION citext ADD cast (character varying as citext);
ALTER EXTENSION citext ADD cast (character as citext);
ALTER EXTENSION citext ADD cast (boolean as citext);
ALTER EXTENSION citext ADD cast (inet as citext);
ALTER EXTENSION citext ADD function citext_eq(citext,citext);
ALTER EXTENSION citext ADD function citext_ne(citext,citext);
ALTER EXTENSION citext ADD function citext_lt(citext,citext);
ALTER EXTENSION citext ADD function citext_le(citext,citext);
ALTER EXTENSION citext ADD function citext_gt(citext,citext);
ALTER EXTENSION citext ADD function citext_ge(citext,citext);
ALTER EXTENSION citext ADD operator <>(citext,citext);
ALTER EXTENSION citext ADD operator =(citext,citext);
ALTER EXTENSION citext ADD operator >(citext,citext);
ALTER EXTENSION citext ADD operator >=(citext,citext);
ALTER EXTENSION citext ADD operator <(citext,citext);
ALTER EXTENSION citext ADD operator <=(citext,citext);
ALTER EXTENSION citext ADD function citext_cmp(citext,citext);
ALTER EXTENSION citext ADD function citext_hash(citext);
ALTER EXTENSION citext ADD operator family citext_ops using btree;
ALTER EXTENSION citext ADD operator class citext_ops using btree;
ALTER EXTENSION citext ADD operator family citext_ops using hash;
ALTER EXTENSION citext ADD operator class citext_ops using hash;
ALTER EXTENSION citext ADD function citext_smaller(citext,citext);
ALTER EXTENSION citext ADD function citext_larger(citext,citext);
ALTER EXTENSION citext ADD function min(citext);
ALTER EXTENSION citext ADD function max(citext);
ALTER EXTENSION citext ADD function texticlike(citext,citext);
ALTER EXTENSION citext ADD function texticnlike(citext,citext);
ALTER EXTENSION citext ADD function texticregexeq(citext,citext);
ALTER EXTENSION citext ADD function texticregexne(citext,citext);
ALTER EXTENSION citext ADD operator !~(citext,citext);
ALTER EXTENSION citext ADD operator ~(citext,citext);
ALTER EXTENSION citext ADD operator !~*(citext,citext);
ALTER EXTENSION citext ADD operator ~*(citext,citext);
ALTER EXTENSION citext ADD operator !~~(citext,citext);
ALTER EXTENSION citext ADD operator ~~(citext,citext);
ALTER EXTENSION citext ADD operator !~~*(citext,citext);
ALTER EXTENSION citext ADD operator ~~*(citext,citext);
ALTER EXTENSION citext ADD function texticlike(citext,text);
ALTER EXTENSION citext ADD function texticnlike(citext,text);
ALTER EXTENSION citext ADD function texticregexeq(citext,text);
ALTER EXTENSION citext ADD function texticregexne(citext,text);
ALTER EXTENSION citext ADD operator !~(citext,text);
ALTER EXTENSION citext ADD operator ~(citext,text);
ALTER EXTENSION citext ADD operator !~*(citext,text);
ALTER EXTENSION citext ADD operator ~*(citext,text);
ALTER EXTENSION citext ADD operator !~~(citext,text);
ALTER EXTENSION citext ADD operator ~~(citext,text);
ALTER EXTENSION citext ADD operator !~~*(citext,text);
ALTER EXTENSION citext ADD operator ~~*(citext,text);
ALTER EXTENSION citext ADD function regexp_matches(citext,citext);
ALTER EXTENSION citext ADD function regexp_matches(citext,citext,text);
ALTER EXTENSION citext ADD function regexp_replace(citext,citext,text);
ALTER EXTENSION citext ADD function regexp_replace(citext,citext,text,text);
ALTER EXTENSION citext ADD function regexp_split_to_array(citext,citext);
ALTER EXTENSION citext ADD function regexp_split_to_array(citext,citext,text);
ALTER EXTENSION citext ADD function regexp_split_to_table(citext,citext);
ALTER EXTENSION citext ADD function regexp_split_to_table(citext,citext,text);
ALTER EXTENSION citext ADD function strpos(citext,citext);
ALTER EXTENSION citext ADD function replace(citext,citext,citext);
ALTER EXTENSION citext ADD function split_part(citext,citext,integer);
ALTER EXTENSION citext ADD function translate(citext,citext,text);
Fix citext's upgrade-from-unpackaged script to set its collation correctly. Although there remains some debate about how CREATE TYPE should represent the collation property, this doesn't really affect what we need to do in citext's script, so go ahead and fix that.
2011-03-03 19:22:18 +01:00
--
-- As of 9.1, type citext should be marked collatable. There is no ALTER TYPE
-- command for this, so we have to do it by poking the pg_type entry directly.
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
-- We have to poke any derived copies in pg_attribute or pg_index as well,
-- as well as those for arrays/domains based directly or indirectly on citext.
Fix citext's upgrade-from-unpackaged script to set its collation correctly. Although there remains some debate about how CREATE TYPE should represent the collation property, this doesn't really affect what we need to do in citext's script, so go ahead and fix that.
2011-03-03 19:22:18 +01:00
-- Notes: 100 is the OID of the "pg_catalog.default" collation --- it seems
-- easier and more reliable to hard-wire that here than to pull it out of
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
-- pg_collation. Also, we don't need to make pg_depend entries since the
-- default collation is pinned.
Fix citext's upgrade-from-unpackaged script to set its collation correctly. Although there remains some debate about how CREATE TYPE should represent the collation property, this doesn't really affect what we need to do in citext's script, so go ahead and fix that.
2011-03-03 19:22:18 +01:00
--
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
DO LANGUAGE plpgsql
$$
DECLARE
my_schema pg_catalog.text := pg_catalog.quote_ident(pg_catalog.current_schema());
old_path pg_catalog.text := pg_catalog.current_setting('search_path');
BEGIN
-- for safety, transiently set search_path to just pg_catalog+pg_temp
PERFORM pg_catalog.set_config('search_path', 'pg_catalog, pg_temp', true);
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
Fix citext's upgrade-from-unpackaged script to set its collation correctly. Although there remains some debate about how CREATE TYPE should represent the collation property, this doesn't really affect what we need to do in citext's script, so go ahead and fix that.
2011-03-03 19:22:18 +01:00
UPDATE pg_catalog.pg_type SET typcollation = 100
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
FROM typeoids
WHERE oid = typeoids.typoid;
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
UPDATE pg_catalog.pg_attribute SET attcollation = 100
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
FROM typeoids
WHERE atttypid = typeoids.typoid;
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
-- Updating the index indcollations is particularly tedious, but since we
-- don't currently allow SQL assignment to individual elements of oidvectors,
-- there's little choice.
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, '^0', '100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[0] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, E'^(\\d+) 0', E'\\1 100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[1] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, E'^(\\d+ \\d+) 0', E'\\1 100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[2] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, E'^(\\d+ \\d+ \\d+) 0', E'\\1 100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[3] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, E'^(\\d+ \\d+ \\d+ \\d+) 0', E'\\1 100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[4] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, E'^(\\d+ \\d+ \\d+ \\d+ \\d+) 0', E'\\1 100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[5] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, E'^(\\d+ \\d+ \\d+ \\d+ \\d+ \\d+) 0', E'\\1 100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[6] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
Fix citext upgrade script for disallowance of oidvector element assignment. In commit 45e02e3232ac7cc5ffe36f7986159b5e0b1f6fdc, we intentionally disallowed updates on individual elements of oidvector columns. While that still seems like a sane idea in the abstract, we (I) forgot that citext's "upgrade from unpackaged" script did in fact perform exactly such updates, in order to fix the problem that citext indexes should have a collation but would not in databases dumped or upgraded from pre-9.1 installations. Even if we wanted to add casts to allow such updates, there's no practical way to do so in the back branches, so the only real alternative is to make citext's kluge even klugier. In this patch, I cast the oidvector to text, fix its contents with regexp_replace, and cast back to oidvector. (Ugh!) Since the aforementioned commit went into all active branches, we have to fix this in all branches that contain the now-broken update script. Per report from Eric Malm.
2014-08-29 00:21:05 +02:00
UPDATE pg_catalog.pg_index SET indcollation =
pg_catalog.regexp_replace(indcollation::pg_catalog.text, E'^(\\d+ \\d+ \\d+ \\d+ \\d+ \\d+ \\d+) 0', E'\\1 100')::pg_catalog.oidvector
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
WHERE indclass[7] IN (
WITH RECURSIVE typeoids(typoid) AS
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
( SELECT (my_schema || '.citext')::pg_catalog.regtype UNION
Fix contrib/citext's upgrade script to handle array and domain cases. We previously recognized that citext wouldn't get marked as collatable during pg_upgrade from a pre-9.1 installation, and hacked its create-from-unpackaged script to manually perform the necessary catalog adjustments. However, we overlooked the fact that domains over citext, as well as the citext[] array type, need the same adjustments. Extend the script to handle those cases. Also, the documentation suggested that this was only an issue in pg_upgrade scenarios, which is quite wrong; loading any dump containing citext from a pre-9.1 server will also result in the type being wrongly marked. I approached the documentation problem by changing the 9.1.2 release note paragraphs about this issue, which is historically inaccurate. But it seems better than having the information scattered in multiple places, and leaving incorrect info in the 9.1.2 notes would be bad anyway. We'll still need to mention the issue again in the 9.1.4 notes, but perhaps they can just reference 9.1.2 for fix instructions. Per report from Evan Carroll. Back-patch into 9.1.
2012-05-11 21:22:30 +02:00
SELECT oid FROM pg_catalog.pg_type, typeoids
WHERE typelem = typoid OR typbasetype = typoid )
SELECT oid FROM pg_catalog.pg_opclass, typeoids
WHERE opcintype = typeoids.typoid
);
Fix citext upgrade script to update derived copies of pg_type.typcollation. If the existing citext type has not merely been created, but used in any tables, then the upgrade script wasn't doing enough. We have to update attcollation for each citext table column, and indcollation for each citext index column, as well. Per report from Rudolf van der Leeden.
2011-11-21 17:24:39 +01:00
-- somewhat arbitrarily, we assume no citext indexes have more than 8 columns
Make contrib modules' installation scripts more secure. Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
2020-08-10 16:44:43 +02:00
PERFORM pg_catalog.set_config('search_path', old_path, true);
END
$$;