rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-09-30 07:01:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
33,696 Commits 36 Branches 606 Tags 423 MiB
C 86%
PLpgSQL 5.5%
Perl 4.1%
Yacc 1.3%
Makefile 0.7%
Other 2.3%
33c6eaf78e
Go to file
Tom Lane 33c6eaf78e Ignore SECURITY DEFINER and SET attributes for a PL's call handler. 
It's not very sensible to set such attributes on a handler function;
but if one were to do so, fmgr.c went into infinite recursion because
it would call fmgr_security_definer instead of the handler function proper.
There is no way for fmgr_security_definer to know that it ought to call the
handler and not the original function referenced by the FmgrInfo's fn_oid,
so it tries to do the latter, causing the whole process to start over
again.

Ordinarily such misconfiguration of a procedural language's handler could
be written off as superuser error.  However, because we allow non-superuser
database owners to create procedural languages and the handler for such a
language becomes owned by the database owner, it is possible for a database
owner to crash the backend, which ideally shouldn't be possible without
superuser privileges.  In 9.2 and up we will adjust things so that the
handler functions are always owned by superusers, but in existing branches
this is a minor security fix.

Problem noted by Noah Misch (after several of us had failed to detect
it :-().  This is CVE-2012-2655.
2012-05-30 23:27:57 -04:00
config Put back AC_REQUIRE([AC_STRUCT_TM]). 2012-05-14 23:06:48 -04:00
contrib Fix incorrect password transformation in contrib/pgcrypto's DES crypt(). 2012-05-30 10:53:30 -04:00
doc Rewrite --section option to decouple it from --schema-only/--data-only. 2012-05-29 23:22:14 -04:00
src Ignore SECURITY DEFINER and SET attributes for a PL's call handler. 2012-05-30 23:27:57 -04:00
.gitignore Add gitignore for mingw/cygwin build outputs 2011-06-09 18:11:47 +02:00
aclocal.m4
configure Put back AC_REQUIRE([AC_STRUCT_TM]). 2012-05-14 23:06:48 -04:00
configure.in Remove unused AC_DEFINE symbols 2012-05-14 22:51:21 +03:00
COPYRIGHT Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
GNUmakefile.in Add isolation test to check-world and installcheck-world 2012-03-05 20:19:20 +02:00
Makefile Allow make check in PL directories 2011-02-15 06:52:12 +02:00
README
README.git

README 

PostgreSQL Database Management System
=====================================

This directory contains the source code distribution of the PostgreSQL
database management system.

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, subqueries, triggers, user-defined types
and functions.  This distribution also contains C language bindings.

PostgreSQL has many language interfaces, many of which are listed here:

	http://www.postgresql.org/download

See the file INSTALL for instructions on how to build and install
PostgreSQL.  That file also lists supported operating systems and
hardware platforms and contains information regarding any other
software packages that are required to build or run the PostgreSQL
system.  Changes between all PostgreSQL releases are recorded in the
file HISTORY.  Copyright and license information can be found in the
file COPYRIGHT.  A comprehensive documentation set is included in this
distribution; it can be read as described in the installation
instructions.

The latest version of this software may be obtained at
http://www.postgresql.org/download/.  For more information look at our
web site located at http://www.postgresql.org/.