2003-03-18 23:19:47 +01:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
*
|
2005-08-15 23:02:26 +02:00
|
|
|
* common.c
|
|
|
|
* Common support routines for bin/scripts/
|
|
|
|
*
|
2003-03-18 23:19:47 +01:00
|
|
|
*
|
2018-01-03 05:30:12 +01:00
|
|
|
* Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
|
2003-03-18 23:19:47 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/bin/scripts/common.c
|
2003-03-18 23:19:47 +01:00
|
|
|
*
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "postgres_fe.h"
|
|
|
|
|
2007-04-09 20:21:22 +02:00
|
|
|
#include <signal.h>
|
2003-03-18 23:19:47 +01:00
|
|
|
#include <unistd.h>
|
|
|
|
|
2005-08-15 23:02:26 +02:00
|
|
|
#include "common.h"
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
#include "fe_utils/connect.h"
|
|
|
|
#include "fe_utils/string_utils.h"
|
2007-04-09 20:21:22 +02:00
|
|
|
|
2005-08-15 23:02:26 +02:00
|
|
|
|
2007-04-09 20:21:22 +02:00
|
|
|
static PGcancel *volatile cancelConn = NULL;
|
2015-05-24 03:35:49 +02:00
|
|
|
bool CancelRequested = false;
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2007-04-09 20:21:22 +02:00
|
|
|
#ifdef WIN32
|
|
|
|
static CRITICAL_SECTION cancelConnLock;
|
|
|
|
#endif
|
2003-03-18 23:19:47 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Provide strictly harmonized handling of --help and --version
|
|
|
|
* options.
|
|
|
|
*/
|
|
|
|
void
|
2005-08-15 23:02:26 +02:00
|
|
|
handle_help_version_opts(int argc, char *argv[],
|
|
|
|
const char *fixed_progname, help_handler hlp)
|
2003-03-18 23:19:47 +01:00
|
|
|
{
|
|
|
|
if (argc > 1)
|
|
|
|
{
|
|
|
|
if (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0)
|
|
|
|
{
|
|
|
|
hlp(get_progname(argv[0]));
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
if (strcmp(argv[1], "--version") == 0 || strcmp(argv[1], "-V") == 0)
|
|
|
|
{
|
|
|
|
printf("%s (PostgreSQL) " PG_VERSION "\n", fixed_progname);
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
2015-11-12 22:05:23 +01:00
|
|
|
* Make a database connection with the given parameters.
|
|
|
|
*
|
2015-12-23 21:45:43 +01:00
|
|
|
* An interactive password prompt is automatically issued if needed and
|
|
|
|
* allowed by prompt_password.
|
|
|
|
*
|
|
|
|
* If allow_password_reuse is true, we will try to re-use any password
|
|
|
|
* given during previous calls to this routine. (Callers should not pass
|
|
|
|
* allow_password_reuse=true unless reconnecting to the same database+user
|
|
|
|
* as before, else we might create password exposure hazards.)
|
2003-03-18 23:19:47 +01:00
|
|
|
*/
|
|
|
|
PGconn *
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
connectDatabase(const char *dbname, const char *pghost,
|
|
|
|
const char *pgport, const char *pguser,
|
|
|
|
enum trivalue prompt_password, const char *progname,
|
|
|
|
bool echo, bool fail_ok, bool allow_password_reuse)
|
2003-03-18 23:19:47 +01:00
|
|
|
{
|
|
|
|
PGconn *conn;
|
2007-07-08 21:07:38 +02:00
|
|
|
bool new_pass;
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
static bool have_password = false;
|
|
|
|
static char password[100];
|
2003-03-18 23:19:47 +01:00
|
|
|
|
2015-12-23 21:45:43 +01:00
|
|
|
if (!allow_password_reuse)
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
have_password = false;
|
|
|
|
|
|
|
|
if (!have_password && prompt_password == TRI_YES)
|
2015-12-23 21:45:43 +01:00
|
|
|
{
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
simple_prompt("Password: ", password, sizeof(password), false);
|
|
|
|
have_password = true;
|
2015-12-23 21:45:43 +01:00
|
|
|
}
|
2015-11-12 22:05:23 +01:00
|
|
|
|
2003-03-18 23:19:47 +01:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Start the connection. Loop until we have a password if requested by
|
|
|
|
* backend.
|
2003-03-18 23:19:47 +01:00
|
|
|
*/
|
|
|
|
do
|
|
|
|
{
|
2015-12-23 21:45:43 +01:00
|
|
|
const char *keywords[7];
|
|
|
|
const char *values[7];
|
2010-02-05 04:09:05 +01:00
|
|
|
|
2010-02-26 03:01:40 +01:00
|
|
|
keywords[0] = "host";
|
|
|
|
values[0] = pghost;
|
|
|
|
keywords[1] = "port";
|
|
|
|
values[1] = pgport;
|
|
|
|
keywords[2] = "user";
|
|
|
|
values[2] = pguser;
|
|
|
|
keywords[3] = "password";
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
values[3] = have_password ? password : NULL;
|
2010-02-26 03:01:40 +01:00
|
|
|
keywords[4] = "dbname";
|
|
|
|
values[4] = dbname;
|
|
|
|
keywords[5] = "fallback_application_name";
|
|
|
|
values[5] = progname;
|
|
|
|
keywords[6] = NULL;
|
|
|
|
values[6] = NULL;
|
2010-02-05 04:09:05 +01:00
|
|
|
|
2007-07-08 21:07:38 +02:00
|
|
|
new_pass = false;
|
2010-02-05 04:09:05 +01:00
|
|
|
conn = PQconnectdbParams(keywords, values, true);
|
|
|
|
|
2003-03-18 23:19:47 +01:00
|
|
|
if (!conn)
|
|
|
|
{
|
2015-11-12 22:05:23 +01:00
|
|
|
fprintf(stderr, _("%s: could not connect to database %s: out of memory\n"),
|
2003-03-18 23:19:47 +01:00
|
|
|
progname, dbname);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2015-11-12 22:05:23 +01:00
|
|
|
/*
|
|
|
|
* No luck? Trying asking (again) for a password.
|
|
|
|
*/
|
2003-03-18 23:19:47 +01:00
|
|
|
if (PQstatus(conn) == CONNECTION_BAD &&
|
2007-12-09 20:01:40 +01:00
|
|
|
PQconnectionNeedsPassword(conn) &&
|
2009-02-26 17:02:39 +01:00
|
|
|
prompt_password != TRI_NO)
|
2003-03-18 23:19:47 +01:00
|
|
|
{
|
|
|
|
PQfinish(conn);
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
simple_prompt("Password: ", password, sizeof(password), false);
|
|
|
|
have_password = true;
|
2007-07-08 21:07:38 +02:00
|
|
|
new_pass = true;
|
2003-03-18 23:19:47 +01:00
|
|
|
}
|
2007-07-08 21:07:38 +02:00
|
|
|
} while (new_pass);
|
2003-03-18 23:19:47 +01:00
|
|
|
|
|
|
|
/* check to see that the backend connection was successfully made */
|
|
|
|
if (PQstatus(conn) == CONNECTION_BAD)
|
|
|
|
{
|
2011-12-06 14:48:15 +01:00
|
|
|
if (fail_ok)
|
|
|
|
{
|
|
|
|
PQfinish(conn);
|
|
|
|
return NULL;
|
|
|
|
}
|
2003-03-18 23:19:47 +01:00
|
|
|
fprintf(stderr, _("%s: could not connect to database %s: %s"),
|
|
|
|
progname, dbname, PQerrorMessage(conn));
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
if (PQserverVersion(conn) >= 70300)
|
|
|
|
PQclear(executeQuery(conn, ALWAYS_SECURE_SEARCH_PATH_SQL,
|
|
|
|
progname, echo));
|
|
|
|
|
2003-03-18 23:19:47 +01:00
|
|
|
return conn;
|
|
|
|
}
|
|
|
|
|
2011-12-06 14:48:15 +01:00
|
|
|
/*
|
|
|
|
* Try to connect to the appropriate maintenance database.
|
|
|
|
*/
|
|
|
|
PGconn *
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
connectMaintenanceDatabase(const char *maintenance_db,
|
|
|
|
const char *pghost, const char *pgport,
|
|
|
|
const char *pguser, enum trivalue prompt_password,
|
|
|
|
const char *progname, bool echo)
|
2011-12-06 14:48:15 +01:00
|
|
|
{
|
2012-06-10 21:20:04 +02:00
|
|
|
PGconn *conn;
|
2011-12-06 14:48:15 +01:00
|
|
|
|
|
|
|
/* If a maintenance database name was specified, just connect to it. */
|
|
|
|
if (maintenance_db)
|
2015-12-23 21:45:43 +01:00
|
|
|
return connectDatabase(maintenance_db, pghost, pgport, pguser,
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
prompt_password, progname, echo, false, false);
|
2011-12-06 14:48:15 +01:00
|
|
|
|
|
|
|
/* Otherwise, try postgres first and then template1. */
|
2015-12-23 21:45:43 +01:00
|
|
|
conn = connectDatabase("postgres", pghost, pgport, pguser, prompt_password,
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
progname, echo, true, false);
|
2011-12-06 14:48:15 +01:00
|
|
|
if (!conn)
|
2015-12-23 21:45:43 +01:00
|
|
|
conn = connectDatabase("template1", pghost, pgport, pguser,
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
prompt_password, progname, echo, false, false);
|
2011-12-06 14:48:15 +01:00
|
|
|
|
|
|
|
return conn;
|
|
|
|
}
|
2003-03-18 23:19:47 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Run a query, return the results, exit program on failure.
|
|
|
|
*/
|
|
|
|
PGresult *
|
|
|
|
executeQuery(PGconn *conn, const char *query, const char *progname, bool echo)
|
|
|
|
{
|
|
|
|
PGresult *res;
|
|
|
|
|
|
|
|
if (echo)
|
|
|
|
printf("%s\n", query);
|
|
|
|
|
|
|
|
res = PQexec(conn, query);
|
|
|
|
if (!res ||
|
|
|
|
PQresultStatus(res) != PGRES_TUPLES_OK)
|
|
|
|
{
|
2005-08-15 23:02:26 +02:00
|
|
|
fprintf(stderr, _("%s: query failed: %s"),
|
|
|
|
progname, PQerrorMessage(conn));
|
|
|
|
fprintf(stderr, _("%s: query was: %s\n"),
|
|
|
|
progname, query);
|
2003-03-18 23:19:47 +01:00
|
|
|
PQfinish(conn);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
return res;
|
|
|
|
}
|
2003-05-27 21:36:55 +02:00
|
|
|
|
|
|
|
|
2005-08-15 23:02:26 +02:00
|
|
|
/*
|
|
|
|
* As above for a SQL command (which returns nothing).
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
executeCommand(PGconn *conn, const char *query,
|
|
|
|
const char *progname, bool echo)
|
|
|
|
{
|
|
|
|
PGresult *res;
|
|
|
|
|
|
|
|
if (echo)
|
|
|
|
printf("%s\n", query);
|
|
|
|
|
|
|
|
res = PQexec(conn, query);
|
|
|
|
if (!res ||
|
|
|
|
PQresultStatus(res) != PGRES_COMMAND_OK)
|
|
|
|
{
|
|
|
|
fprintf(stderr, _("%s: query failed: %s"),
|
|
|
|
progname, PQerrorMessage(conn));
|
|
|
|
fprintf(stderr, _("%s: query was: %s\n"),
|
|
|
|
progname, query);
|
|
|
|
PQfinish(conn);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
PQclear(res);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2007-04-09 20:21:22 +02:00
|
|
|
/*
|
|
|
|
* As above for a SQL maintenance command (returns command success).
|
|
|
|
* Command is executed with a cancel handler set, so Ctrl-C can
|
|
|
|
* interrupt it.
|
|
|
|
*/
|
|
|
|
bool
|
|
|
|
executeMaintenanceCommand(PGconn *conn, const char *query, bool echo)
|
|
|
|
{
|
|
|
|
PGresult *res;
|
|
|
|
bool r;
|
|
|
|
|
|
|
|
if (echo)
|
|
|
|
printf("%s\n", query);
|
|
|
|
|
|
|
|
SetCancelConn(conn);
|
|
|
|
res = PQexec(conn, query);
|
|
|
|
ResetCancelConn();
|
|
|
|
|
|
|
|
r = (res && PQresultStatus(res) == PGRES_COMMAND_OK);
|
|
|
|
|
|
|
|
if (res)
|
|
|
|
PQclear(res);
|
|
|
|
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Split TABLE[(COLUMNS)] into TABLE and [(COLUMNS)] portions. When you
|
|
|
|
* finish using them, pg_free(*table). *columns is a pointer into "spec",
|
|
|
|
* possibly to its NUL terminator.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
split_table_columns_spec(const char *spec, int encoding,
|
|
|
|
char **table, const char **columns)
|
|
|
|
{
|
|
|
|
bool inquotes = false;
|
|
|
|
const char *cp = spec;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Find the first '(' not identifier-quoted. Based on
|
|
|
|
* dequote_downcase_identifier().
|
|
|
|
*/
|
|
|
|
while (*cp && (*cp != '(' || inquotes))
|
|
|
|
{
|
|
|
|
if (*cp == '"')
|
|
|
|
{
|
|
|
|
if (inquotes && cp[1] == '"')
|
|
|
|
cp++; /* pair does not affect quoting */
|
|
|
|
else
|
|
|
|
inquotes = !inquotes;
|
|
|
|
cp++;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
cp += PQmblen(cp, encoding);
|
|
|
|
}
|
|
|
|
*table = pg_strdup(spec);
|
|
|
|
(*table)[cp - spec] = '\0'; /* no strndup */
|
|
|
|
*columns = cp;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Break apart TABLE[(COLUMNS)] of "spec". With the reset_val of search_path
|
|
|
|
* in effect, have regclassin() interpret the TABLE portion. Append to "buf"
|
|
|
|
* the qualified name of TABLE, followed by any (COLUMNS). Exit on failure.
|
|
|
|
* We use this to interpret --table=foo under the search path psql would get,
|
|
|
|
* in advance of "ANALYZE public.foo" under the always-secure search path.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
appendQualifiedRelation(PQExpBuffer buf, const char *spec,
|
|
|
|
PGconn *conn, const char *progname, bool echo)
|
|
|
|
{
|
|
|
|
char *table;
|
|
|
|
const char *columns;
|
|
|
|
PQExpBufferData sql;
|
|
|
|
PGresult *res;
|
|
|
|
int ntups;
|
|
|
|
|
|
|
|
/* Before 7.3, the concept of qualifying a name did not exist. */
|
|
|
|
if (PQserverVersion(conn) < 70300)
|
|
|
|
{
|
|
|
|
appendPQExpBufferStr(&sql, spec);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
split_table_columns_spec(spec, PQclientEncoding(conn), &table, &columns);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Query must remain ABSOLUTELY devoid of unqualified names. This would
|
|
|
|
* be unnecessary given a regclassin() variant taking a search_path
|
|
|
|
* argument.
|
|
|
|
*/
|
|
|
|
initPQExpBuffer(&sql);
|
|
|
|
appendPQExpBufferStr(&sql,
|
|
|
|
"SELECT c.relname, ns.nspname\n"
|
|
|
|
" FROM pg_catalog.pg_class c,"
|
|
|
|
" pg_catalog.pg_namespace ns\n"
|
|
|
|
" WHERE c.relnamespace OPERATOR(pg_catalog.=) ns.oid\n"
|
|
|
|
" AND c.oid OPERATOR(pg_catalog.=) ");
|
|
|
|
appendStringLiteralConn(&sql, table, conn);
|
|
|
|
appendPQExpBufferStr(&sql, "::pg_catalog.regclass;");
|
|
|
|
|
2018-08-30 19:23:22 +02:00
|
|
|
executeCommand(conn, "RESET search_path;", progname, echo);
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* One row is a typical result, as is a nonexistent relation ERROR.
|
|
|
|
* regclassin() unconditionally accepts all-digits input as an OID; if no
|
|
|
|
* relation has that OID; this query returns no rows. Catalog corruption
|
|
|
|
* might elicit other row counts.
|
|
|
|
*/
|
|
|
|
res = executeQuery(conn, sql.data, progname, echo);
|
|
|
|
ntups = PQntuples(res);
|
|
|
|
if (ntups != 1)
|
|
|
|
{
|
|
|
|
fprintf(stderr,
|
|
|
|
ngettext("%s: query returned %d row instead of one: %s\n",
|
|
|
|
"%s: query returned %d rows instead of one: %s\n",
|
|
|
|
ntups),
|
|
|
|
progname, ntups, sql.data);
|
|
|
|
PQfinish(conn);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
appendPQExpBufferStr(buf,
|
Ensure schema qualification in pg_restore DISABLE/ENABLE TRIGGER commands.
Previously, this code blindly followed the common coding pattern of
passing PQserverVersion(AH->connection) as the server-version parameter
of fmtQualifiedId. That works as long as we have a connection; but in
pg_restore with text output, we don't. Instead we got a zero from
PQserverVersion, which fmtQualifiedId interpreted as "server is too old to
have schemas", and so the name went unqualified. That still accidentally
managed to work in many cases, which is probably why this ancient bug went
undetected for so long. It only became obvious in the wake of the changes
to force dump/restore to execute with restricted search_path.
In HEAD/v11, let's deal with this by ripping out fmtQualifiedId's server-
version behavioral dependency, and just making it schema-qualify all the
time. We no longer support pg_dump from servers old enough to need the
ability to omit schema name, let alone restoring to them. (Also, the few
callers outside pg_dump already didn't work with pre-schema servers.)
In older branches, that's not an acceptable solution, so instead just
tweak the DISABLE/ENABLE TRIGGER logic to ensure it will schema-qualify
its output regardless of server version.
Per bug #15338 from Oleg somebody. Back-patch to all supported branches.
Discussion: https://postgr.es/m/153452458706.1316.5328079417086507743@wrigleys.postgresql.org
2018-08-17 23:12:21 +02:00
|
|
|
fmtQualifiedId(PQgetvalue(res, 0, 1),
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
PQgetvalue(res, 0, 0)));
|
|
|
|
appendPQExpBufferStr(buf, columns);
|
|
|
|
PQclear(res);
|
|
|
|
termPQExpBuffer(&sql);
|
|
|
|
pg_free(table);
|
|
|
|
|
|
|
|
PQclear(executeQuery(conn, ALWAYS_SECURE_SEARCH_PATH_SQL,
|
|
|
|
progname, echo));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2003-05-27 21:36:55 +02:00
|
|
|
/*
|
2014-05-06 18:12:18 +02:00
|
|
|
* Check yes/no answer in a localized way. 1=yes, 0=no, -1=neither.
|
2003-05-27 21:36:55 +02:00
|
|
|
*/
|
|
|
|
|
2006-09-22 20:50:41 +02:00
|
|
|
/* translator: abbreviation for "yes" */
|
2003-05-27 21:36:55 +02:00
|
|
|
#define PG_YESLETTER gettext_noop("y")
|
2006-09-22 20:50:41 +02:00
|
|
|
/* translator: abbreviation for "no" */
|
2003-05-27 21:36:55 +02:00
|
|
|
#define PG_NOLETTER gettext_noop("n")
|
|
|
|
|
2006-09-22 20:50:41 +02:00
|
|
|
bool
|
|
|
|
yesno_prompt(const char *question)
|
2003-05-27 21:36:55 +02:00
|
|
|
{
|
2006-10-04 02:30:14 +02:00
|
|
|
char prompt[256];
|
2006-09-22 20:50:41 +02:00
|
|
|
|
2011-09-05 23:52:49 +02:00
|
|
|
/*------
|
|
|
|
translator: This is a question followed by the translated options for
|
|
|
|
"yes" and "no". */
|
2006-10-03 23:45:20 +02:00
|
|
|
snprintf(prompt, sizeof(prompt), _("%s (%s/%s) "),
|
|
|
|
_(question), _(PG_YESLETTER), _(PG_NOLETTER));
|
|
|
|
|
2006-09-22 20:50:41 +02:00
|
|
|
for (;;)
|
|
|
|
{
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
char resp[10];
|
2006-09-22 20:50:41 +02:00
|
|
|
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
simple_prompt(prompt, resp, sizeof(resp), true);
|
2006-09-22 20:50:41 +02:00
|
|
|
|
|
|
|
if (strcmp(resp, _(PG_YESLETTER)) == 0)
|
|
|
|
return true;
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
if (strcmp(resp, _(PG_NOLETTER)) == 0)
|
2006-09-22 20:50:41 +02:00
|
|
|
return false;
|
|
|
|
|
2006-09-22 21:51:14 +02:00
|
|
|
printf(_("Please answer \"%s\" or \"%s\".\n"),
|
|
|
|
_(PG_YESLETTER), _(PG_NOLETTER));
|
2006-09-22 20:50:41 +02:00
|
|
|
}
|
2003-05-27 21:36:55 +02:00
|
|
|
}
|
2007-04-09 20:21:22 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* SetCancelConn
|
|
|
|
*
|
|
|
|
* Set cancelConn to point to the current database connection.
|
|
|
|
*/
|
2015-01-23 19:02:45 +01:00
|
|
|
void
|
2007-04-09 20:21:22 +02:00
|
|
|
SetCancelConn(PGconn *conn)
|
|
|
|
{
|
|
|
|
PGcancel *oldCancelConn;
|
|
|
|
|
|
|
|
#ifdef WIN32
|
|
|
|
EnterCriticalSection(&cancelConnLock);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/* Free the old one if we have one */
|
|
|
|
oldCancelConn = cancelConn;
|
|
|
|
|
|
|
|
/* be sure handle_sigint doesn't use pointer while freeing */
|
|
|
|
cancelConn = NULL;
|
|
|
|
|
|
|
|
if (oldCancelConn != NULL)
|
|
|
|
PQfreeCancel(oldCancelConn);
|
|
|
|
|
|
|
|
cancelConn = PQgetCancel(conn);
|
|
|
|
|
|
|
|
#ifdef WIN32
|
|
|
|
LeaveCriticalSection(&cancelConnLock);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* ResetCancelConn
|
|
|
|
*
|
|
|
|
* Free the current cancel connection, if any, and set to NULL.
|
|
|
|
*/
|
2015-01-23 19:02:45 +01:00
|
|
|
void
|
2007-04-09 20:21:22 +02:00
|
|
|
ResetCancelConn(void)
|
|
|
|
{
|
|
|
|
PGcancel *oldCancelConn;
|
|
|
|
|
|
|
|
#ifdef WIN32
|
|
|
|
EnterCriticalSection(&cancelConnLock);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
oldCancelConn = cancelConn;
|
|
|
|
|
|
|
|
/* be sure handle_sigint doesn't use pointer while freeing */
|
|
|
|
cancelConn = NULL;
|
|
|
|
|
|
|
|
if (oldCancelConn != NULL)
|
|
|
|
PQfreeCancel(oldCancelConn);
|
|
|
|
|
|
|
|
#ifdef WIN32
|
|
|
|
LeaveCriticalSection(&cancelConnLock);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifndef WIN32
|
|
|
|
/*
|
2015-01-23 19:02:45 +01:00
|
|
|
* Handle interrupt signals by canceling the current command, if a cancelConn
|
|
|
|
* is set.
|
2007-04-09 20:21:22 +02:00
|
|
|
*/
|
|
|
|
static void
|
|
|
|
handle_sigint(SIGNAL_ARGS)
|
|
|
|
{
|
|
|
|
int save_errno = errno;
|
|
|
|
char errbuf[256];
|
|
|
|
|
|
|
|
/* Send QueryCancel if we are processing a database query */
|
|
|
|
if (cancelConn != NULL)
|
|
|
|
{
|
|
|
|
if (PQcancel(cancelConn, errbuf, sizeof(errbuf)))
|
2015-01-23 19:02:45 +01:00
|
|
|
{
|
|
|
|
CancelRequested = true;
|
2007-04-09 20:21:22 +02:00
|
|
|
fprintf(stderr, _("Cancel request sent\n"));
|
2015-01-23 19:02:45 +01:00
|
|
|
}
|
2007-04-09 20:21:22 +02:00
|
|
|
else
|
2007-09-25 18:29:34 +02:00
|
|
|
fprintf(stderr, _("Could not send cancel request: %s"), errbuf);
|
2007-04-09 20:21:22 +02:00
|
|
|
}
|
2015-01-23 19:02:45 +01:00
|
|
|
else
|
|
|
|
CancelRequested = true;
|
2007-04-09 20:21:22 +02:00
|
|
|
|
|
|
|
errno = save_errno; /* just in case the write changed it */
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
setup_cancel_handler(void)
|
|
|
|
{
|
|
|
|
pqsignal(SIGINT, handle_sigint);
|
|
|
|
}
|
|
|
|
#else /* WIN32 */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Console control handler for Win32. Note that the control handler will
|
|
|
|
* execute on a *different thread* than the main one, so we need to do
|
|
|
|
* proper locking around those structures.
|
|
|
|
*/
|
|
|
|
static BOOL WINAPI
|
|
|
|
consoleHandler(DWORD dwCtrlType)
|
|
|
|
{
|
|
|
|
char errbuf[256];
|
|
|
|
|
|
|
|
if (dwCtrlType == CTRL_C_EVENT ||
|
|
|
|
dwCtrlType == CTRL_BREAK_EVENT)
|
|
|
|
{
|
|
|
|
/* Send QueryCancel if we are processing a database query */
|
|
|
|
EnterCriticalSection(&cancelConnLock);
|
|
|
|
if (cancelConn != NULL)
|
|
|
|
{
|
|
|
|
if (PQcancel(cancelConn, errbuf, sizeof(errbuf)))
|
2015-01-23 19:02:45 +01:00
|
|
|
{
|
2007-04-09 20:21:22 +02:00
|
|
|
fprintf(stderr, _("Cancel request sent\n"));
|
2015-01-23 19:02:45 +01:00
|
|
|
CancelRequested = true;
|
|
|
|
}
|
2007-04-09 20:21:22 +02:00
|
|
|
else
|
|
|
|
fprintf(stderr, _("Could not send cancel request: %s"), errbuf);
|
|
|
|
}
|
2015-01-23 19:02:45 +01:00
|
|
|
else
|
|
|
|
CancelRequested = true;
|
|
|
|
|
2007-04-09 20:21:22 +02:00
|
|
|
LeaveCriticalSection(&cancelConnLock);
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
/* Return FALSE for any signals not being handled */
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
setup_cancel_handler(void)
|
|
|
|
{
|
|
|
|
InitializeCriticalSection(&cancelConnLock);
|
|
|
|
|
|
|
|
SetConsoleCtrlHandler(consoleHandler, TRUE);
|
|
|
|
}
|
|
|
|
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* WIN32 */
|