OSSForks/postgres
1
0
Fork 0
mirror of https://github.com/zebrajr/postgres.git synced 2025-12-07 00:20:24 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
Mirror of the official PostgreSQL GIT repository. Note that this is just a *mirror* - we don't work with pull requests on github. To contribute, please see https://wiki.postgresql.org/wiki/Submitting_a_Patch
29,196 Commits 34 Branches 537 Tags 1,009 MiB
C 85.1%
PLpgSQL 6%
Perl 4.6%
Yacc 1.2%
Meson 0.7%
Other 2.2%
af6ee5e8d4
Go to file
Tom Lane af6ee5e8d4 Ignore SECURITY DEFINER and SET attributes for a PL's call handler. 
It's not very sensible to set such attributes on a handler function;
but if one were to do so, fmgr.c went into infinite recursion because
it would call fmgr_security_definer instead of the handler function proper.
There is no way for fmgr_security_definer to know that it ought to call the
handler and not the original function referenced by the FmgrInfo's fn_oid,
so it tries to do the latter, causing the whole process to start over
again.

Ordinarily such misconfiguration of a procedural language's handler could
be written off as superuser error.  However, because we allow non-superuser
database owners to create procedural languages and the handler for such a
language becomes owned by the database owner, it is possible for a database
owner to crash the backend, which ideally shouldn't be possible without
superuser privileges.  In 9.2 and up we will adjust things so that the
handler functions are always owned by superusers, but in existing branches
this is a minor security fix.

Problem noted by Noah Misch (after several of us had failed to detect
it :-().  This is CVE-2012-2655.
2012-05-30 23:28:21 -04:00
config Don't reject threaded Python on FreeBSD. 2012-02-20 16:21:46 -05:00
contrib Fix incorrect password transformation in contrib/pgcrypto's DES crypt(). 2012-05-30 10:53:44 -04:00
doc Remove link to ODBCng project from the docs. 2012-05-03 13:02:48 +02:00
src Ignore SECURITY DEFINER and SET attributes for a PL's call handler. 2012-05-30 23:28:21 -04:00
.gitignore Convert cvsignore to gitignore, and add .gitignore for build targets. 2010-09-22 12:57:08 +02:00
aclocal.m4 Add new auto-detection of thread flags. 2004-04-23 18:15:55 +00:00
configure Stamp 8.4.11. 2012-02-23 17:59:21 -05:00
configure.in Stamp 8.4.11. 2012-02-23 17:59:21 -05:00
COPYRIGHT Update copyright for 2009. 2009-01-01 17:24:05 +00:00
GNUmakefile.in Back-patch creation of tar.bz2 tarball during "make dist". 2011-07-03 16:40:28 -04:00
Makefile Remove remains of old depend target. 2007-01-20 17:16:17 +00:00
README Point to our download URL, rather than listing interface in the README 2008-05-06 22:02:12 +00:00
README.git Back-patch replacement of README.CVS with README.git. 2010-09-21 14:43:06 -04:00

README 

PostgreSQL Database Management System
=====================================
  
This directory contains the source code distribution of the PostgreSQL
database management system.

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions, foreign keys, subqueries, triggers, user-defined types
and functions.  This distribution also contains C language bindings.

PostgreSQL has many language interfaces, many of which are listed here:

	http://www.postgresql.org/download

See the file INSTALL for instructions on how to build and install
PostgreSQL.  That file also lists supported operating systems and
hardware platforms and contains information regarding any other
software packages that are required to build or run the PostgreSQL
system.  Changes between all PostgreSQL releases are recorded in the
file HISTORY.  Copyright and license information can be found in the
file COPYRIGHT.  A comprehensive documentation set is included in this
distribution; it can be read as described in the installation
instructions.

The latest version of this software may be obtained at
http://www.postgresql.org/download/.  For more information look at our
web site located at http://www.postgresql.org/.